Networking Concepts and

Cybersecurity

Authentication
or
Who are you?
 Trust

• Trustworthy (Meaning)
– able to be relied on as honest or truthful
• Examples of trust
• Discussion
– Why trust someone?
– Can we do without trusting anyone?
Examples - Trust
AUTHENTICATION
 Authentication

• Authentication is the way to determining

who someone is so that you can make a
decision about whether they’re allowed to
access a resource or not.
• Definition (RFC 2828):
The process of verifying an identity claimed
by or for a system entity.
 Types of Authentication

• User authentication – Used to ensure that

the user of the system is who them claim
to be

• Message authentication – used to ensure

that messages have not been tampered
with (typically referred to as Integrity)
 Purpose of Authentication

• Validates the identity of a person

• Once the person is authenticated, the
system can decide what to do (or not to
do) next with the person (authorization)
• Use something to reasonably assume you
are who you claim to be.
 Problems with Authentication

• Assume you are meeting a secret agent

(you only know that her name is Alice) for
a top secret mission.
– Do you know who is Alice?
– How will you be sure if this is the right spy?
– Will some enemy trick you?
– How will the spy authenticate to you?
 How to authenticate? or
Forms of Authentication

1. Something you know

– Username, Password, PIN
2. Something you have
– electronic keycards, smart cards, physical keys
3. Something you are
– Thumbprint, eye-print, face-print
SOMETHING YOU KNOW
 Password authentication
• Basic idea
– User has a secret password
– System checks password to authenticate user.
Easiest to implement, but most unsecure method
• Issues
– How is password stored?
– How is password transmitted?
– How easy is it to guess a password?
PASSWORD STORAGE
 Password Storage
• If password is stored to be check against its
another vulnerable point
• Password is hashed before storing on
password file.
• OS get the password from the user then
calculate the hash of the password and then
compare that with the hash stored in the
password file.
 Hash function

• A hash function H() is a function that takes

a variable length string and converts it into
a fixed length value.
• Example
– H(String1) = h1
– H(Colombo) = 23
– H(The Dark Knight) = 47
• This process cannot be
undone
 Hash function contd

• User password is stored as a hash value

in the password file.
• When user wants to login,
– User enters the password
– System computes hash value using the hash
function.
– Compares with entry in password file.
• No passwords stored on disk
 Hash collision

• There is always a chance that a hash

algorithm generate the same hash value
for two different plaintext inputs.
Basic password scheme

User Password file

kiwifruit
exrygbzyf
Password is kgnosfix
hashed using a ggjoklbsz
hash function …
before storing …
on password
file.
PASSWORD COMMUNICATION
 Password communication

• To secure the password in ytansit the

communication should be encrypted using
secure encryption methods
• This ensures that an attacker cannot
eavesdrop and intercept the
communication
• Both symmetric and asymmetric
encryption can be used
 Replay attack

• Because passwords do not change a

replay attack can be mounted on a
authentication process
• This is when the attacker intercepts the
message used to send the encrypted
password and later resends it to the
service
• Even with encryption this can work!
 Challenge Response
Authentication
• Here the person/service doing the
authentication sends a challenge to the
person/service being authenticated
• This is appended/added/combined to the
password in some way before being
hashed
• Results in a one-time password being
generated
Challenge Response
Authentication
PASSWORD SECURITY
 Password Attacks

The password is hacked by some means by an unauthorized

person.
• Brute Force Attack – attempts all possible combinations in order
• Dictionary Attack – uses preset commons word banks to try and
generate the password
• Social Engineering – Tricking people into revealing there
passwords
• Shoulder Surfing – watching people while the enter credentials
• Hacking Software – software such as keyloggers/screen
capture software used to intercept passwords before they are
hashed
 Password Security

• Top 10 most used passwords

• Password policy
• Passphrase
• Best practices
SOMETHING YOU HAVE
 Tokens

• Authentication depends on the person

having access to a physical device
– RFID tag
– Credit card
– Security token
• The physical devices contains the
“password” which is directly read from
device
Something you have

Smart Card

Electronic Key Card

 Hardware Token

• Hardware tokens contain an internal clock that, in

combination with the device’s unique identifier is used to
generate a code
• This code changes on a regular basis, often every 30 s.
• The infrastructure used to keep track of such tokens can
predict, for a given device, what the proper output will be
at any given time and can use this to authenticate the
user.
• Simulates a OTP
Hardware Token
 Security

• Owner must take precautions to ensure

physical security of token
• Additional security measures can be taken
– Hashing of pass tokens
– Use of encryption for communications
– Challenge response protocols to emiminate
replay attacks
SOMETHING YOU ARE
 Biometrics
• Use a person’s physical characteristics
– fingerprint, voice, face, keyboard timing, …
• Advantages
– Cannot be disclosed, lost, forgotten
• Disadvantages
– Cost, installation, maintenance
– Reliability of comparison algorithms
• False positive: Allow access to unauthorized
person
• False negative: Disallow access to authorized
person
– Privacy?
– If forged, how do you revoke?
AUTHENTICATION MODELS
 Authentication Models
One-factor authentication
• Using only one authentication credential

Two-factor authentication
• Enhances security, particularly if different types of authentication
methods are used
https://www.youtube.com/watch?v=AIOUlQeQbNM&list=WL&index=22

Three-factor authentication
• Requires that a user present three different types of authentication
credentials
HUMAN AUTHENTICATION
Two-factor authentication
 CAPTCHA
• A CAPTCHA is a short online typing test that
is easy for humans to pass but difficult for
robotic software programs.
• It will ensure that the response is generated
by a person, and not a computer.
 CAPTCHA
What Does CAPTCHA Stand For?

It stands for "Completely Automated Public Turing test to tell

Computers and Humans Apart".

How Do CAPTCHAs Work?

CAPTCHAs work by asking you to type a phrase that a robot

would be hard-pressed to read. Commonly, these CAPTCHA
phrases are .gif picture of scrambled words, but can also be .mp3
voice recordings.