SlideShare a Scribd company logo

Ch04 after modifications

Download as PPT, PDF
S
saeedjaber1
Education
1 of 36
Chapter 4: Identification & Authentication Chapter 4: 1
Agenda  User authentication  Identification & authentication  Passwords  how to get the password to the user  forgotten passwords  password guessing  password spoofing  compromise of the password file  Biometrics Chapter 4: 2
Introduction  Authentication: process of verifying a user’s identity.  Two reasons for authenticating a user:  The user identity is a parameter in access control decisions.  The user identity is recorded when logging security relevant events in an audit trail. Chapter 4: 3
Identification & Authentication  When logging on to a computer you enter  user name and  password  The first step is called identification:  You announce who you are.  The second step is called authentication;  You prove that you are who you claim to be.  Authentication by password is widely accepted and not too difficult to implement. Chapter 4: 4
Bootstrapping Authentication  Passwords should be secrets shared between the user and the system authenticating the user.  How do you bootstrap a system so that the password ends up in the right places, but nowhere else?  In an enterprise, users can collect their password personally.  Otherwise, the password could be sent by mail, email, or phone, or entered by the user on a web page.  You now have to consider who might intercept the message and who might actually pick it up.  E.g., a letter containing the password for an online bank account might be stolen or an impersonator may phone in asking for another user’s password. Chapter 4: 5
Authenticating a Remote User 1. Do not give the password to the caller but call back an authorized phone number from your files, e.g. from an internal company address book. 2. Call back someone else, e.g. the caller’s manager or local security officer. 3. Send passwords that are valid only for a single log-in request so that the user has to change immediately to a password not known by the sender. 4. Send mail by courier with personal delivery. 5. Request confirmation on a different channel to activate user account, e.g. enter the password on a web page and send confirmation by SMS (phone). Chapter 4: 6
Resetting Passwords  When setting up a new user account some delay in getting the password may be tolerated.  Global organisations must staff a hot desk round the clock,  On a web site, auxiliary information may authenticate a user: mother’s maiden name, phone number, name of pet, … Chapter 4: 7
Guessing Passwords  Exhaustive search (brute force): try all possible combinations of valid symbols up to a certain length.  Intelligent search: search through a restricted name space, e.g. passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number,…, or try passwords that are generally popular.  Typical example for the second approach: dictionary attack trying all passwords from an on-line dictionary. Chapter 4: 8
Defences  Change default passwords: often passwords for system accounts have a default value like “manager”.  Avoid guessable passwords:  Prescribe a minimal password length.  Password format: mix upper and lower case, include numerical and other non-alphabetical symbols.  Today on-line dictionaries for almost every language exist. Chapter 4: 9
Defences  Password ageing: set an expiry dates for passwords to force users to change passwords regularly.  Prevent users from reverting to old passwords, e.g. keep a list of the last ten passwords used.  Limit login attempts: the system can monitor unsuccessful login attempts and react by locking the user account (completely or for a given time interval) to prevent or discourage further attempts.  Inform user: after successful login, display time of last login and the number of failed login attempts since, to warn the user about recently attempted attacks. Chapter 4: 10
Password Security  Passwords will be written on a piece of paper kept close to the computer.  Security experts routinely look out for passwords on notes posted on computer terminals.  Is it always a bad idea to write down your password? Chapter 4: 11
Password Security  People are best at memorizing passwords they use regularly.  Passwords work reasonably well in situations where they are entered quite frequently, but not so with systems used only occasionally.  Good advice:  When changing a password, type it immediately several times.  Do not change passwords before weekends or holidays. Chapter 4: 12
Phishing and Spoofing  In phishing and spoofing attacks a party voluntarily sends the password over a channel, but is misled about the end point of the channel. Chapter 4: 13
Spoofing Attacks  Attacker starts a program that presents a fake login screen and leaves the computer.  If the next user coming to this machine enters username and password on the fake login screen, these values are captured by the program.  Login is then typically aborted with a (fake) error message and the spoofing program terminates.  Control returned to operating system, which now prompts the user with a genuine login request. Chapter 4: 14
Countermeasures  Display number of failed logins: may indicate to the user that an attack has happened.  Trusted path: guarantee that user communicates with the operating system and not with a spoofing program; e.g., Windows has a secure attention key CTRL+ALT+DEL for invoking the operating system logon screen.  Mutual authentication: user authenticated to system, system authenticated to user. Chapter 4: 15
Phishing  Phishing: attacker impersonates the system to trick a user into releasing the password to the attacker.  E.g., a message could claim to come from a service you are using, tell you about an upgrade of the security procedures, and ask you to enter your username and password at the new security site that will offer stronger protection.  Take care to enter your passwords only at the “right” site (but how do you know?)  Social engineering: attacker impersonates the user to trick a system operator into releasing the password to the attacker. Chapter 4: 16
Protecting the Password File  Attacker could try to compromise the confidentiality or integrity of this password file.  Options for protecting the password file:  cryptographic protection,  access control enforced by the operating system,  combination of cryptographic protection and access control, possibly with further measures to slow down dictionary attacks. Chapter 4: 17
One-way Functions  For cryptographic protection we can use one-way functions (cryptographic hash functions).  Definition: A one-way function f is a function that is relatively easy to compute but hard to reverse.  Given an input x it is easy to compute f(x), but given an output y it is hard to find x so that y = f(x)  Instead of the password x, the value f(x) is stored in the password file; when a user logs in entering a password x’, the system applies the one-way function f and compares f(x’) with the expected value f(x). Chapter 4: 18
Password Salting  To slow down dictionary attacks, a salt is appended to the password before encryption and stored with the encrypted password.  If two users have the same password, they will now have different entries in the file of encrypted passwords.  Example: Unix uses a 12 bit salt. Chapter 4: 19
Access Control Settings  Only privileged users must have write access to the password file.  Otherwise, an attacker could get access to the data of other users simply by changing their password, even if it is protected by cryptographic means. Chapter 4: 20
Lesson  You have seen examples for two security design principles.  Combining mechanisms can enhance protection.  Use of encryption and access control to guard password files.  Separate security relevant data from data that should be openly available.  In Unix, /etc/passwd contains both types of data; shadow password files achieve the desired separation. Chapter 4: 21
Single Sign-on  Having to remember many passwords for different services is a nuisance; with a single sign-on service, you have to enter your password only once.  A simplistic single-sign on service could store your password and do the job for you whenever you have to authenticate yourself.  Such a service adds to your convenience but it also raises new security concerns.  System designers have to balance convenience and security; ease-of-use is an important factor in making IT systems really useful, but many practices which are convenient also introduce new vulnerabilities. Chapter 4: 22
More on Authentication  If you are dissatisfied with the level of security provided by passwords, what else can you do?  In general, the following options are open.  You can be authenticated on the basis of 1. something you know, 2. something you hold, 3. who you are, 4. what you do, 5. where you are. Chapter 4: 23
1-Something You Know  The user has to know some secret to be authenticated.  Examples: password, personal identification number (PIN), personal information like home address, date of birth, name of spouse (used e.g. by banks to authenticate customers on the phone). Chapter 4: 24
2-Something You Hold  User presents a physical token to be authenticated.  Examples: keys, cards or identity tags (access to buildings), smart cards.  Physical tokens can be lost or stolen.  To increase security, physical tokens are often used in combination with something you know, e.g. bank cards come with a PIN or with a photo of the user. Chapter 4: 25
3-Who You Are  Biometric schemes use unique physical characteristics (traits, features) of a person such as face, finger prints, iris patterns, hand geometry (maybe even DNA at some time in the future).  Biometrics may seem to offer the most secure solution for authenticating a person. Chapter 4: 26
Fingerprint  Enrolment: reference sample of the user’s fingerprint is acquired at a fingerprint reader.  Features are derived from the sample.  Fingerprint minutiae: end points of ridges, bifurcation points, core, delta, loops, whorls, …  For higher accuracy, record features for more than one finger.  Feature vectors are stored in a secure database.  When the user logs on, a new reading of the fingerprint is taken; features are compared against the reference features. Chapter 4: 27
Identification & Verification  Biometrics are used for two purposes:  Identification: 1:n comparison tries to identify the user from a database of n persons.  Verification: 1:1 comparison checks whether there is a match for a given user.  Authentication by password: clear reject or accept at each authentication attempt.  Biometrics: stored reference features will hardly ever match precisely features derived from the current measurements. Chapter 4: 28
Failure Rates  Measure similarity between reference features and current features.  User is accepted if match is above a predefined threshold.  New issue: false positives and false negatives  Accept wrong user (false positive): security problem.  Reject legitimate user (false negative): creates embarrassment and an inefficient work environment. Chapter 4: 29
Technology Analysis  Based on a (given) databases of biometric samples.  Measures performance of the algorithms extracting and comparing biometric features.  False match rate (FMR): FMR = number of successful false matches number of attempted false matches  False non-match rate (FNMR): FNMR = number of rejected genuine matches number of attempted genuine matches Chapter 4: 30
Equal-error Rate  Equal error rate (EER): given by the threshold value where FMR and FNMR are equal.  Currently, the best state-of-the-art fingerprint recognition schemes have an EER of about 0.5 - 2%.  Iris pattern recognition has a superior performance.  State of the art: http://atvs.ii.uam.es/fvc2006.html. Chapter 4: 31
FMR, FNMR, EER FMR FNMR 30% 20% 10% EER 0% 0 Matching Threshold (in %) 1 Chapter 4: 32
Scenario Analysis  Records error rates in actual field trials; measures performance of fingerprint reader (hardware and software) capturing templates at log-in time.  Failure-to-capture rate (FTC): frequency of failing to capture a sample.  Failure-to-extract rate (FTX): frequency of failing to extract a feature from a sample.  Failure-to-acquire rate: frequency of failing to acquire a biometric feature: FTA = FTC + FTX⋅(1 - FTC)  False accept rate for the entire biometric scheme: FAR = FMR ⋅ (1 - FTA).  False reject rate: FRR = FTA + FNMR ⋅ (1 - FTA). Chapter 4: 33
Madrid Error (2004)  False positive identification rate for a database with n persons:  FPIR = (1 - FTA) ⋅ (1 - (1 - FMR)n).  A fingerprint found in the Madrid train bombing was compared against a database of 530 million entries.  A match was found and linked by four experts with 100% confidence to a US citizen (B. Mayfield).  They were wrong: the guy did not even have a passport and had not left the country.  Criteria for matching features had to be re-appraised.  http://www.henrytempleman.com/madrid_error, http://www.onin.com/fp/problemidents.html Chapter 4: 34
4-What You Do  People perform mechanical tasks in a way that is both repeatable and specific to the individual.  Experts look at the dynamics of handwriting to detect forgeries.  Users could sign on a special pad that measures attributes like writing speed and writing pressure.  On a keyboard, typing speed and key strokes intervals can be used to authenticate individual users. Chapter 4: 35
5-Where You Are  Some operating systems grant access only if you log on from a certain terminal.  A system manager may only log on from an operator console but not from an arbitrary user terminal.  Users may be only allowed to log on from a workstation in their office.  Decisions of this kind will be even more frequent in mobile and distributed computing.  Global Positioning System (GPS) might be used to established the precise geographical location of a user during authentication. Chapter 4: 36

Recommended

A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolAfnic
 
Unlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityUnlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityIJCSEA Journal
 
C0210014017
C0210014017C0210014017
C0210014017researchinventy
 
Access Controls Attacks
Access Controls AttacksAccess Controls Attacks
Access Controls AttacksHafiza Abas
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Komal Mehfooz
 

Recommended

A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...A novel way of integrating voice recognition and one time passwords to preven...
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
 
Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolAfnic
 
Unlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityUnlimited Length Random Passwords for Exponentially Increased Security
Unlimited Length Random Passwords for Exponentially Increased SecurityIJCSEA Journal
 
C0210014017
C0210014017C0210014017
C0210014017researchinventy
 
Access Controls Attacks
Access Controls AttacksAccess Controls Attacks
Access Controls AttacksHafiza Abas
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Komal Mehfooz
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesVi Tính Hoàng Nam
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementBarrel Software
 
Unit 2aa
Unit 2aaUnit 2aa
Unit 2aaSheetal Verma
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting ServicesMarco Balduzzi
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftidsecconf
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofingMattChapman50
 
Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)eSAT Journals
 
Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)eSAT Publishing House
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Computersystemssecurity 090529105555-phpapp01
Computersystemssecurity 090529105555-phpapp01Computersystemssecurity 090529105555-phpapp01
Computersystemssecurity 090529105555-phpapp01Miigaa Mine
 
Web spoofing
Web spoofingWeb spoofing
Web spoofingkondalarao7
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1Charles Klondike
 
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxFarhanaMariyam1
 
C02
C02C02
C02newbie2019
 

More Related Content

What's hot

Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesVi Tính Hoàng Nam
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementBarrel Software
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting ServicesMarco Balduzzi
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftidsecconf
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Password hacking
Password hackingPassword hacking
Password hackingMr. FM
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewYury Chemerkin
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofingMattChapman50
 
Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)eSAT Journals
 
Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)eSAT Publishing House
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Computersystemssecurity 090529105555-phpapp01
Computersystemssecurity 090529105555-phpapp01Computersystemssecurity 090529105555-phpapp01
Computersystemssecurity 090529105555-phpapp01Miigaa Mine
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 

What's hot (19)

Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniques
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & Management
 
Unit 2aa
Unit 2aaUnit 2aa
Unit 2aa
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting Services
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draft
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofing
 
Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)
 
Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)Web phish detection (an evolutionary approach)
Web phish detection (an evolutionary approach)
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
 
Computersystemssecurity 090529105555-phpapp01
Computersystemssecurity 090529105555-phpapp01Computersystemssecurity 090529105555-phpapp01
Computersystemssecurity 090529105555-phpapp01
 
Web spoofing
Web spoofingWeb spoofing
Web spoofing
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 
NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1NWSLTR_Volume12_Issue1
NWSLTR_Volume12_Issue1
 

Similar to Ch04 after modifications

1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaperHai Nguyen
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxFarhanaMariyam1
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Crypto Security Matters: Safeguarding Your Digital Assets
Crypto Security Matters: Safeguarding Your Digital AssetsCrypto Security Matters: Safeguarding Your Digital Assets
Crypto Security Matters: Safeguarding Your Digital AssetsKrypto Cash
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxMohammedYusuf609377
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSACarl Saiyed
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerceMohsin Ahmad
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
a)In the words of Snowden properly Imlemented strong crypto system.pdf
a)In the words of Snowden properly Imlemented strong crypto system.pdfa)In the words of Snowden properly Imlemented strong crypto system.pdf
a)In the words of Snowden properly Imlemented strong crypto system.pdfaoneonlinestore1
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnMaximaSheffield592
 

Similar to Ch04 after modifications (20)

1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
 
Ethical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptxEthical hacking for Business or Management.pptx
Ethical hacking for Business or Management.pptx
 
C02
C02C02
C02
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Crypto Security Matters: Safeguarding Your Digital Assets
Crypto Security Matters: Safeguarding Your Digital AssetsCrypto Security Matters: Safeguarding Your Digital Assets
Crypto Security Matters: Safeguarding Your Digital Assets
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
 
Saiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSASaiyed_Crypto_Article_ISSA
Saiyed_Crypto_Article_ISSA
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Unit 5
Unit 5Unit 5
Unit 5
 
Chapter 5.pptx
Chapter 5.pptxChapter 5.pptx
Chapter 5.pptx
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
a)In the words of Snowden properly Imlemented strong crypto system.pdf
a)In the words of Snowden properly Imlemented strong crypto system.pdfa)In the words of Snowden properly Imlemented strong crypto system.pdf
a)In the words of Snowden properly Imlemented strong crypto system.pdf
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
 
CHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization OnCHAPTER 7 Authentication and Authorization On
CHAPTER 7 Authentication and Authorization On
 

Recently uploaded

Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 

Recently uploaded (20)

Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 

Ch04 after modifications

  • 1. Chapter 4: Identification & Authentication Chapter 4: 1
  • 2. Agenda  User authentication  Identification & authentication  Passwords  how to get the password to the user  forgotten passwords  password guessing  password spoofing  compromise of the password file  Biometrics Chapter 4: 2
  • 3. Introduction  Authentication: process of verifying a user’s identity.  Two reasons for authenticating a user:  The user identity is a parameter in access control decisions.  The user identity is recorded when logging security relevant events in an audit trail. Chapter 4: 3
  • 4. Identification & Authentication  When logging on to a computer you enter  user name and  password  The first step is called identification:  You announce who you are.  The second step is called authentication;  You prove that you are who you claim to be.  Authentication by password is widely accepted and not too difficult to implement. Chapter 4: 4
  • 5. Bootstrapping Authentication  Passwords should be secrets shared between the user and the system authenticating the user.  How do you bootstrap a system so that the password ends up in the right places, but nowhere else?  In an enterprise, users can collect their password personally.  Otherwise, the password could be sent by mail, email, or phone, or entered by the user on a web page.  You now have to consider who might intercept the message and who might actually pick it up.  E.g., a letter containing the password for an online bank account might be stolen or an impersonator may phone in asking for another user’s password. Chapter 4: 5
  • 6. Authenticating a Remote User 1. Do not give the password to the caller but call back an authorized phone number from your files, e.g. from an internal company address book. 2. Call back someone else, e.g. the caller’s manager or local security officer. 3. Send passwords that are valid only for a single log-in request so that the user has to change immediately to a password not known by the sender. 4. Send mail by courier with personal delivery. 5. Request confirmation on a different channel to activate user account, e.g. enter the password on a web page and send confirmation by SMS (phone). Chapter 4: 6
  • 7. Resetting Passwords  When setting up a new user account some delay in getting the password may be tolerated.  Global organisations must staff a hot desk round the clock,  On a web site, auxiliary information may authenticate a user: mother’s maiden name, phone number, name of pet, … Chapter 4: 7
  • 8. Guessing Passwords  Exhaustive search (brute force): try all possible combinations of valid symbols up to a certain length.  Intelligent search: search through a restricted name space, e.g. passwords that are somehow associated with a user like name, names of friends and relatives, car brand, car registration number, phone number,…, or try passwords that are generally popular.  Typical example for the second approach: dictionary attack trying all passwords from an on-line dictionary. Chapter 4: 8
  • 9. Defences  Change default passwords: often passwords for system accounts have a default value like “manager”.  Avoid guessable passwords:  Prescribe a minimal password length.  Password format: mix upper and lower case, include numerical and other non-alphabetical symbols.  Today on-line dictionaries for almost every language exist. Chapter 4: 9
  • 10. Defences  Password ageing: set an expiry dates for passwords to force users to change passwords regularly.  Prevent users from reverting to old passwords, e.g. keep a list of the last ten passwords used.  Limit login attempts: the system can monitor unsuccessful login attempts and react by locking the user account (completely or for a given time interval) to prevent or discourage further attempts.  Inform user: after successful login, display time of last login and the number of failed login attempts since, to warn the user about recently attempted attacks. Chapter 4: 10
  • 11. Password Security  Passwords will be written on a piece of paper kept close to the computer.  Security experts routinely look out for passwords on notes posted on computer terminals.  Is it always a bad idea to write down your password? Chapter 4: 11
  • 12. Password Security  People are best at memorizing passwords they use regularly.  Passwords work reasonably well in situations where they are entered quite frequently, but not so with systems used only occasionally.  Good advice:  When changing a password, type it immediately several times.  Do not change passwords before weekends or holidays. Chapter 4: 12
  • 13. Phishing and Spoofing  In phishing and spoofing attacks a party voluntarily sends the password over a channel, but is misled about the end point of the channel. Chapter 4: 13
  • 14. Spoofing Attacks  Attacker starts a program that presents a fake login screen and leaves the computer.  If the next user coming to this machine enters username and password on the fake login screen, these values are captured by the program.  Login is then typically aborted with a (fake) error message and the spoofing program terminates.  Control returned to operating system, which now prompts the user with a genuine login request. Chapter 4: 14
  • 15. Countermeasures  Display number of failed logins: may indicate to the user that an attack has happened.  Trusted path: guarantee that user communicates with the operating system and not with a spoofing program; e.g., Windows has a secure attention key CTRL+ALT+DEL for invoking the operating system logon screen.  Mutual authentication: user authenticated to system, system authenticated to user. Chapter 4: 15
  • 16. Phishing  Phishing: attacker impersonates the system to trick a user into releasing the password to the attacker.  E.g., a message could claim to come from a service you are using, tell you about an upgrade of the security procedures, and ask you to enter your username and password at the new security site that will offer stronger protection.  Take care to enter your passwords only at the “right” site (but how do you know?)  Social engineering: attacker impersonates the user to trick a system operator into releasing the password to the attacker. Chapter 4: 16
  • 17. Protecting the Password File  Attacker could try to compromise the confidentiality or integrity of this password file.  Options for protecting the password file:  cryptographic protection,  access control enforced by the operating system,  combination of cryptographic protection and access control, possibly with further measures to slow down dictionary attacks. Chapter 4: 17
  • 18. One-way Functions  For cryptographic protection we can use one-way functions (cryptographic hash functions).  Definition: A one-way function f is a function that is relatively easy to compute but hard to reverse.  Given an input x it is easy to compute f(x), but given an output y it is hard to find x so that y = f(x)  Instead of the password x, the value f(x) is stored in the password file; when a user logs in entering a password x’, the system applies the one-way function f and compares f(x’) with the expected value f(x). Chapter 4: 18
  • 19. Password Salting  To slow down dictionary attacks, a salt is appended to the password before encryption and stored with the encrypted password.  If two users have the same password, they will now have different entries in the file of encrypted passwords.  Example: Unix uses a 12 bit salt. Chapter 4: 19
  • 20. Access Control Settings  Only privileged users must have write access to the password file.  Otherwise, an attacker could get access to the data of other users simply by changing their password, even if it is protected by cryptographic means. Chapter 4: 20
  • 21. Lesson  You have seen examples for two security design principles.  Combining mechanisms can enhance protection.  Use of encryption and access control to guard password files.  Separate security relevant data from data that should be openly available.  In Unix, /etc/passwd contains both types of data; shadow password files achieve the desired separation. Chapter 4: 21
  • 22. Single Sign-on  Having to remember many passwords for different services is a nuisance; with a single sign-on service, you have to enter your password only once.  A simplistic single-sign on service could store your password and do the job for you whenever you have to authenticate yourself.  Such a service adds to your convenience but it also raises new security concerns.  System designers have to balance convenience and security; ease-of-use is an important factor in making IT systems really useful, but many practices which are convenient also introduce new vulnerabilities. Chapter 4: 22
  • 23. More on Authentication  If you are dissatisfied with the level of security provided by passwords, what else can you do?  In general, the following options are open.  You can be authenticated on the basis of 1. something you know, 2. something you hold, 3. who you are, 4. what you do, 5. where you are. Chapter 4: 23
  • 24. 1-Something You Know  The user has to know some secret to be authenticated.  Examples: password, personal identification number (PIN), personal information like home address, date of birth, name of spouse (used e.g. by banks to authenticate customers on the phone). Chapter 4: 24
  • 25. 2-Something You Hold  User presents a physical token to be authenticated.  Examples: keys, cards or identity tags (access to buildings), smart cards.  Physical tokens can be lost or stolen.  To increase security, physical tokens are often used in combination with something you know, e.g. bank cards come with a PIN or with a photo of the user. Chapter 4: 25
  • 26. 3-Who You Are  Biometric schemes use unique physical characteristics (traits, features) of a person such as face, finger prints, iris patterns, hand geometry (maybe even DNA at some time in the future).  Biometrics may seem to offer the most secure solution for authenticating a person. Chapter 4: 26
  • 27. Fingerprint  Enrolment: reference sample of the user’s fingerprint is acquired at a fingerprint reader.  Features are derived from the sample.  Fingerprint minutiae: end points of ridges, bifurcation points, core, delta, loops, whorls, …  For higher accuracy, record features for more than one finger.  Feature vectors are stored in a secure database.  When the user logs on, a new reading of the fingerprint is taken; features are compared against the reference features. Chapter 4: 27
  • 28. Identification & Verification  Biometrics are used for two purposes:  Identification: 1:n comparison tries to identify the user from a database of n persons.  Verification: 1:1 comparison checks whether there is a match for a given user.  Authentication by password: clear reject or accept at each authentication attempt.  Biometrics: stored reference features will hardly ever match precisely features derived from the current measurements. Chapter 4: 28
  • 29. Failure Rates  Measure similarity between reference features and current features.  User is accepted if match is above a predefined threshold.  New issue: false positives and false negatives  Accept wrong user (false positive): security problem.  Reject legitimate user (false negative): creates embarrassment and an inefficient work environment. Chapter 4: 29
  • 30. Technology Analysis  Based on a (given) databases of biometric samples.  Measures performance of the algorithms extracting and comparing biometric features.  False match rate (FMR): FMR = number of successful false matches number of attempted false matches  False non-match rate (FNMR): FNMR = number of rejected genuine matches number of attempted genuine matches Chapter 4: 30
  • 31. Equal-error Rate  Equal error rate (EER): given by the threshold value where FMR and FNMR are equal.  Currently, the best state-of-the-art fingerprint recognition schemes have an EER of about 0.5 - 2%.  Iris pattern recognition has a superior performance.  State of the art: http://atvs.ii.uam.es/fvc2006.html. Chapter 4: 31
  • 32. FMR, FNMR, EER FMR FNMR 30% 20% 10% EER 0% 0 Matching Threshold (in %) 1 Chapter 4: 32
  • 33. Scenario Analysis  Records error rates in actual field trials; measures performance of fingerprint reader (hardware and software) capturing templates at log-in time.  Failure-to-capture rate (FTC): frequency of failing to capture a sample.  Failure-to-extract rate (FTX): frequency of failing to extract a feature from a sample.  Failure-to-acquire rate: frequency of failing to acquire a biometric feature: FTA = FTC + FTX⋅(1 - FTC)  False accept rate for the entire biometric scheme: FAR = FMR ⋅ (1 - FTA).  False reject rate: FRR = FTA + FNMR ⋅ (1 - FTA). Chapter 4: 33
  • 34. Madrid Error (2004)  False positive identification rate for a database with n persons:  FPIR = (1 - FTA) ⋅ (1 - (1 - FMR)n).  A fingerprint found in the Madrid train bombing was compared against a database of 530 million entries.  A match was found and linked by four experts with 100% confidence to a US citizen (B. Mayfield).  They were wrong: the guy did not even have a passport and had not left the country.  Criteria for matching features had to be re-appraised.  http://www.henrytempleman.com/madrid_error, http://www.onin.com/fp/problemidents.html Chapter 4: 34
  • 35. 4-What You Do  People perform mechanical tasks in a way that is both repeatable and specific to the individual.  Experts look at the dynamics of handwriting to detect forgeries.  Users could sign on a special pad that measures attributes like writing speed and writing pressure.  On a keyboard, typing speed and key strokes intervals can be used to authenticate individual users. Chapter 4: 35
  • 36. 5-Where You Are  Some operating systems grant access only if you log on from a certain terminal.  A system manager may only log on from an operator console but not from an arbitrary user terminal.  Users may be only allowed to log on from a workstation in their office.  Decisions of this kind will be even more frequent in mobile and distributed computing.  Global Positioning System (GPS) might be used to established the precise geographical location of a user during authentication. Chapter 4: 36