KEMBAR78
User authentication | PPTX
CAS, profile picture
Uploaded byCAS
PPTX, PDF8,559 views

User authentication

The document discusses user authentication, a fundamental security process for verifying identities in systems. It covers various means of authentication, including passwords, tokens, and biometrics, detailing their vulnerabilities and advantages. Techniques for enhancing password security and the operation of biometric systems are also explored.

Technology
Related topics:
Computer Security
In this document
Powered by AI

Introduction to computer security by Mr. Rajasekar Ramalingam from the College of Applied Sciences, focusing on user authentication.

The content includes various aspects of user authentication, such as methods, vulnerabilities, and techniques.

User authentication is defined as verifying identities, vital for access control and accountability.

Four methods for user authentication: knowledge-based (passwords), possession-based (tokens), and biometrics (static and dynamic).

Password authentication is a common method where systems compare provided passwords against stored values.

Outlined vulnerabilities in password authentication, including various attack methods.

Details various attack strategies, including offline dictionary, specific account attacks, popular password, and user mistakes.

Use of hashed passwords with a salt in UNIX systems is explained, detailing password loading and verification processes.

Discusses dictionary attacks and rainbow table attacks as methods for password cracking.

Techniques for creating stronger passwords including user education and password checking methods.

Different types of tokens used for authentication, including embossed cards and smart cards.

Describes smartcards and embossed tokens concerning their functionality and drawbacks.

Biometric authentication includes unique physical characteristics, such as fingerprints and facial features for identity verification.

Overview of how biometric systems operate, enrollment processes, and the distinction between verification and identification.

Downloaded 193 times
COMPUTER SECURITY USERAUTHENTICATION Mr. RAJASEKAR RAMALINGAM Faculty - Department of IT College of Applied Sciences – Sur, Sultanate of Oman. vrrsekar@yahoo.com
CONTENT • USER AUTHENTICATION • MEANS OF USER AUTHENTICATION • PASSWORD AUTHENTICATION • PASSWORD VULNERABILITIES • USE OF HASHED PASSWORDS – IN UNIX • PASSWORD CRACKING TECHNIQUES • USING BETTER PASSWORDS • TOKEN AUTHENTICATION • BIOMETRIC AUTHENTICATION USER AUTHENTICATION 2
3 1. USER AUTHENTICATION • RFC 2828 defines user authentication as: • “The process of verifying an identity claimed by or for a system entity. • Fundamental security building block • Basis of most types of access control & for user accountability. • User authentication is distinct from message authentication. • User authentication process consists of two steps: 1. Identification: Presenting an identifier to the security system. 2. Verification: Binding entity (person) and identifier USER AUTHENTICATION
4 2. MEANS OF USER AUTHENTICATION • Four general means of authenticating a user's identity are • Individual knows: Includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. • Individual possesses: Includes electronic keycards, smart cards, and physical keys. Also known as a token. • Individual is (static biometrics): Includes recognition by fingerprint, retina, and face. • Individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. • can use alone or combined • all can provide user authentication & have issues. USER AUTHENTICATION
5 3. PASSWORD AUTHENTICATION • Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – That the user is authorized to access system – Determines the user’s privileges – Is used in Discretionary Access Control USER AUTHENTICATION
4. PASSWORD VULNERABILITIES Offline dictionary attack Specific account attack Popular password attack Password guessing against single user Workstation hijacking Exploiting user mistakes Exploiting multiple password use Eectronic monitoring USER AUTHENTICATION 6
7 Following are the attack strategies: 1. Offline dictionary attack: • A hacker gain access to the system password file. • Compares the password hashes against hashes of commonly used passwords. 2. Specific account attack: • Attacker targets a specific account &submits password guesses until the correct password is discovered. 3. Popular password attack / Against single user: • The attacker chooses a popular password and tries it. • Attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. USER AUTHENTICATION
8 4. Workstation hijacking: • The attacker waits until a logged-in workstation is unattended. 5. Exploiting user mistakes: • User is more likely to write it down passwords, because it is difficult to remember. 6. Exploiting multiple password use. • Similar password for a many applications 7. Electronic monitoring: • If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. USER AUTHENTICATION
9 5. USE OF HASHED PASSWORDS – IN UNIX USER AUTHENTICATION
• A widely used password security technique. • Use of hashed passwords and a salt value. • Found on all UNIX and other operating systems. 1. Loading a new password: • The user selects or is assigned a password. • Password combined with a fixed-length salt value. • Salt is a pseudorandom or random number. • PW & salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. • Hashed password then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. 2. Verifying a password: • When a user attempts to log on to a system, the user provides an ID and a password. • OS uses the ID to retrieve the plaintext salt and the encrypted password. • The salt and user-supplied password are used as input to the encryption routine. • If the result matches the stored value, the password is accepted. 10USER AUTHENTICATION
6. PASSWORD CRACKING TECHNIQUES Dictionary attacks • Develop a large dictionary of possible passwords and try each against the password file • Each password must be hashed using each salt value and then compared to stored hash values Rainbow table attacks • Pre-compute tables of hash values for all salts • A mammoth table of hash values • Can be countered by using a sufficiently large salt value and a sufficiently large hash length USER AUTHENTICATION 11
12 7. USING BETTER PASSWORDS • Clearly have problems with passwords • Goal to eliminate guessable passwords • At the same time, easy for user to remember • Four basic techniques: 1. User education 2. Computer-generated passwords 3. Reactive password checking 4. Proactive password checking 1. User education: • Users can be told the importance of using hard-to-guess passwords. • Provide users with guidelines for selecting strong passwords. • Can be problematic when have a large user population. • Because many users will simply ignore the guidelines. USER AUTHENTICATION
2. Computer-generated passwords: • Poor acceptance by users. • Random in nature, users will not remember. 3. Reactive password checking: • System periodically runs its own password cracker to find guessable passwords. • The system cancels any passwords that are guessed and notifies the user. • Can be costly in resources to implement. 4. Proactive password checking: • User selects own password which the system then checks to see if it is allowable and, if not, rejects it. 13USER AUTHENTICATION
14 8. TOKEN AUTHENTICATION • Objects that a user possesses for the purpose of user authentication are called tokens. • Token are of different forms, they are: 1. Embossed: Raised characters only, on front, e.g. Old credit card. 2. Magnetic stripe: Magnetic bar on back, characters on front, e.g. Bank card. 3. Memory: Has Electronic memory inside, e.g. Prepaid phone card. 4. Smartcard: Has Electronic memory and processor inside, e.g. Biometric ID card USER AUTHENTICATION
15 8.1 MEMORY CARD / MAGNETIC STRIPS • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • With password/PIN for computer use • Drawbacks of memory cards include: – Need special reader – Loss of token issues – User dissatisfaction USER AUTHENTICATION
16 8.2 SMARTCARD / EMBOSED • Credit-Card like • Has own processor, memory, I/O ports – Wired or wireless access by reader – May have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also have USB dongles USER AUTHENTICATION
17 9. BIOMETRIC AUTHENTICATION • Authenticate user based on one of their physical characteristics • Biometric authentication system authenticates an individual based on unique • Physical characteristics like Fingerprints, hand geometry, facial characteristics, and retinal and iris patterns. • Dynamic characteristics like voiceprint and signature. USER AUTHENTICATION
1. Facial characteristics: Characteristics based on location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. 2. Fingerprints: The pattern of ridges and furrows on the surface of the fingertip. 3. Hand geometry: Identify features of hand,: e.g. shape, lengths & widths of fingers. 4. Retinal pattern: Formed by veins beneath the retinal surface is unique. Uses digital image of the retinal pattern by projecting a low- intensity beam of visual or infrared light into the eye. 5. Signature: Each individual has a unique style of handwriting, especially in signature. 18USER AUTHENTICATION
19 9.1 OPERATION OF A BIOMETRIC SYSTEM USER AUTHENTICATION
Operation of a biometric system. • Each users must first be enrolled in the system. • For biometric system, the user presents a name and a password or PIN. • System senses some biometric characteristic of this user (e.g. fingerprint of right index finger). • The system digitizes the input and then extracts a set of features that can be stored as a number or set of numbers. • This set of numbers is referred to as the user’s template. • User authentication on a biometric system involves either verification or identification. • Verification is similar to a user logging on to a system by using a memory card or smart card coupled with a password or PIN. • In Identification process, the individual uses the biometric sensor but presents no additional information. • The system then compares the presented template with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected. 20USER AUTHENTICATION

More Related Content

PDF
Authentication techniques
byIGZ Software house
 
PPTX
Unit-4-User-Authentication.pptx
byPuskar Bhandari
 
PPTX
Password Attack
bySina Manavi
 
PPT
authentication.ppt
byjayarao21
 
PPTX
Security Mechanisms
bypriya_trehan
 
PPTX
Email security
byBaliram Yadav
 
PDF
Password Management
byRick Chin
 
PPTX
Cryptography-Known plain text attack
byamiteshg
 
Authentication techniques
byIGZ Software house
 
Unit-4-User-Authentication.pptx
byPuskar Bhandari
 
Password Attack
bySina Manavi
 
authentication.ppt
byjayarao21
 
Security Mechanisms
bypriya_trehan
 
Email security
byBaliram Yadav
 
Password Management
byRick Chin
 
Cryptography-Known plain text attack
byamiteshg
 

What's hot

PPTX
Authentication
byprimeteacher32
 
PPTX
Password Cracking
bySagar Verma
 
PPTX
Intrusion detection
byCAS
 
PDF
Chapter 1 Introduction of Cryptography and Network security
byDr. Kapil Gupta
 
PPTX
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
PPTX
Network security
byMadhumithah Ilango
 
PDF
Intruders
byDr.Florence Dayana
 
PPTX
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
PPTX
System security
byinvertis university
 
PPSX
Security policies
byNishant Pahad
 
PPTX
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
byRAMESHBABU311293
 
PPTX
Introduction to cryptography and types of ciphers
byAswathi Nair
 
PPTX
Message digest 5
byTirthika Bandi
 
PPTX
Email Forensics
byprimeteacher32
 
PDF
Access Control Presentation
byWajahat Rajab
 
PPTX
Cyber attack
byManjushree Mashal
 
PPTX
Encryption ppt
byAnil Neupane
 
PPTX
Cryptography.ppt
bykusum sharma
 
PPTX
Network security model.pptx
byssuserd24233
 
PPTX
Cryptography
bySidharth Mohapatra
 
Authentication
byprimeteacher32
 
Password Cracking
bySagar Verma
 
Intrusion detection
byCAS
 
Chapter 1 Introduction of Cryptography and Network security
byDr. Kapil Gupta
 
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
Network security
byMadhumithah Ilango
 
Intruders
byDr.Florence Dayana
 
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
System security
byinvertis university
 
Security policies
byNishant Pahad
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
byRAMESHBABU311293
 
Introduction to cryptography and types of ciphers
byAswathi Nair
 
Message digest 5
byTirthika Bandi
 
Email Forensics
byprimeteacher32
 
Access Control Presentation
byWajahat Rajab
 
Cyber attack
byManjushree Mashal
 
Encryption ppt
byAnil Neupane
 
Cryptography.ppt
bykusum sharma
 
Network security model.pptx
byssuserd24233
 
Cryptography
bySidharth Mohapatra
 

Similar to User authentication

PPTX
Infor_Security_Authentication_User .pptx
byhomecooking511
 
PDF
Class paper final
byAnusha Manchala
 
PDF
UNIT 2 Information Security Sharad Institute
bySatishPise4
 
PPTX
05-Authentication.pptx Software Security
byRahmathMohammed4
 
PDF
IS - User Authentication
byFumikageTokoyami4
 
PPTX
Access Control authentication and authorization .pptx
bybirhanugirmay559
 
PDF
Two-factor authentication- A sample writing _Zaman
byAsad Zaman
 
PDF
Authetication ppt
byPranav Doshi
 
DOCX
Biometric Authentication Technology - Report
byNavin Kumar
 
PPT
Lect5 authentication 5_dec_2012-1
byKhawar Nehal khawar.nehal@atrc.net.pk
 
PPTX
Basic of Biometrics Technology
byNEHA SINGH
 
PDF
Graphical Password Authentication using Images Sequence
byIRJET Journal
 
PPT
Ch04 after modifications
bysaeedjaber1
 
PPTX
4.2.1 Network Issues and Communication.pptx
byTeenaSharma73
 
PPTX
4.2.1 Network Issues and Communication [Autosaved].pptx
byTeenaSharma73
 
PPT
Electronic Authentication, More Than Just a Password
byNicholas Davis
 
PDF
C02
bynewbie2019
 
PPTX
Chapter 5 Identity Access Management.pptx
byharshadrai2
 
PDF
Getting authentication right
byAndre N. Klingsheim
 
PPT
Topic 6 authentication2 12_dec_2012-1
byKhawar Nehal khawar.nehal@atrc.net.pk
 
Infor_Security_Authentication_User .pptx
byhomecooking511
 
Class paper final
byAnusha Manchala
 
UNIT 2 Information Security Sharad Institute
bySatishPise4
 
05-Authentication.pptx Software Security
byRahmathMohammed4
 
IS - User Authentication
byFumikageTokoyami4
 
Access Control authentication and authorization .pptx
bybirhanugirmay559
 
Two-factor authentication- A sample writing _Zaman
byAsad Zaman
 
Authetication ppt
byPranav Doshi
 
Biometric Authentication Technology - Report
byNavin Kumar
 
Lect5 authentication 5_dec_2012-1
byKhawar Nehal khawar.nehal@atrc.net.pk
 
Basic of Biometrics Technology
byNEHA SINGH
 
Graphical Password Authentication using Images Sequence
byIRJET Journal
 
Ch04 after modifications
bysaeedjaber1
 
4.2.1 Network Issues and Communication.pptx
byTeenaSharma73
 
4.2.1 Network Issues and Communication [Autosaved].pptx
byTeenaSharma73
 
Electronic Authentication, More Than Just a Password
byNicholas Davis
 
C02
bynewbie2019
 
Chapter 5 Identity Access Management.pptx
byharshadrai2
 
Getting authentication right
byAndre N. Klingsheim
 
Topic 6 authentication2 12_dec_2012-1
byKhawar Nehal khawar.nehal@atrc.net.pk
 

More from CAS

PPTX
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 5
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 4
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions part 3
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 2
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 1
byCAS
 
PPTX
Introduction to IoT Security
byCAS
 
PPTX
Introduction to research methodology
byCAS
 
PPTX
Can you solve this
byCAS
 
PPTX
Symmetric encryption and message confidentiality
byCAS
 
PPTX
Public key cryptography and message authentication
byCAS
 
PPTX
Malicious software
byCAS
 
PPTX
Legal and ethical aspects
byCAS
 
PPT
IT Security management and risk assessment
byCAS
 
PPTX
It security controls, plans, and procedures
byCAS
 
PPTX
Human resources security
byCAS
 
PPT
Database security
byCAS
 
PPTX
Cryptographic tools
byCAS
 
PPT
Internet security association and key management protocol (isakmp)
byCAS
 
PPT
IP Security Part 2
byCAS
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 5
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 4
byCAS
 
RRB JE Stage 2 Computer and Applications Questions part 3
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 2
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 1
byCAS
 
Introduction to IoT Security
byCAS
 
Introduction to research methodology
byCAS
 
Can you solve this
byCAS
 
Symmetric encryption and message confidentiality
byCAS
 
Public key cryptography and message authentication
byCAS
 
Malicious software
byCAS
 
Legal and ethical aspects
byCAS
 
IT Security management and risk assessment
byCAS
 
It security controls, plans, and procedures
byCAS
 
Human resources security
byCAS
 
Database security
byCAS
 
Cryptographic tools
byCAS
 
Internet security association and key management protocol (isakmp)
byCAS
 
IP Security Part 2
byCAS
 

Recently uploaded

PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
2025 October Patch Tuesday
byIvanti
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
Data Structure - 12 Graph
byAndiNurkholis1
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 

User authentication

  • 1.
    COMPUTER SECURITY USERAUTHENTICATION Mr. RAJASEKARRAMALINGAM Faculty - Department of IT College of Applied Sciences – Sur, Sultanate of Oman. vrrsekar@yahoo.com
  • 2.
    CONTENT • USER AUTHENTICATION •MEANS OF USER AUTHENTICATION • PASSWORD AUTHENTICATION • PASSWORD VULNERABILITIES • USE OF HASHED PASSWORDS – IN UNIX • PASSWORD CRACKING TECHNIQUES • USING BETTER PASSWORDS • TOKEN AUTHENTICATION • BIOMETRIC AUTHENTICATION USER AUTHENTICATION 2
  • 3.
    3 1. USER AUTHENTICATION •RFC 2828 defines user authentication as: • “The process of verifying an identity claimed by or for a system entity. • Fundamental security building block • Basis of most types of access control & for user accountability. • User authentication is distinct from message authentication. • User authentication process consists of two steps: 1. Identification: Presenting an identifier to the security system. 2. Verification: Binding entity (person) and identifier USER AUTHENTICATION
  • 4.
    4 2. MEANS OFUSER AUTHENTICATION • Four general means of authenticating a user's identity are • Individual knows: Includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. • Individual possesses: Includes electronic keycards, smart cards, and physical keys. Also known as a token. • Individual is (static biometrics): Includes recognition by fingerprint, retina, and face. • Individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. • can use alone or combined • all can provide user authentication & have issues. USER AUTHENTICATION
  • 5.
    5 3. PASSWORD AUTHENTICATION •Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – That the user is authorized to access system – Determines the user’s privileges – Is used in Discretionary Access Control USER AUTHENTICATION
  • 6.
    4. PASSWORD VULNERABILITIES Offline dictionary attack Specific account attack Popular password attack Password guessing against singleuser Workstation hijacking Exploiting user mistakes Exploiting multiple password use Eectronic monitoring USER AUTHENTICATION 6
  • 7.
    7 Following are theattack strategies: 1. Offline dictionary attack: • A hacker gain access to the system password file. • Compares the password hashes against hashes of commonly used passwords. 2. Specific account attack: • Attacker targets a specific account &submits password guesses until the correct password is discovered. 3. Popular password attack / Against single user: • The attacker chooses a popular password and tries it. • Attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. USER AUTHENTICATION
  • 8.
    8 4. Workstation hijacking: •The attacker waits until a logged-in workstation is unattended. 5. Exploiting user mistakes: • User is more likely to write it down passwords, because it is difficult to remember. 6. Exploiting multiple password use. • Similar password for a many applications 7. Electronic monitoring: • If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. USER AUTHENTICATION
  • 9.
    9 5. USE OFHASHED PASSWORDS – IN UNIX USER AUTHENTICATION
  • 10.
    • A widelyused password security technique. • Use of hashed passwords and a salt value. • Found on all UNIX and other operating systems. 1. Loading a new password: • The user selects or is assigned a password. • Password combined with a fixed-length salt value. • Salt is a pseudorandom or random number. • PW & salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. • Hashed password then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. 2. Verifying a password: • When a user attempts to log on to a system, the user provides an ID and a password. • OS uses the ID to retrieve the plaintext salt and the encrypted password. • The salt and user-supplied password are used as input to the encryption routine. • If the result matches the stored value, the password is accepted. 10USER AUTHENTICATION
  • 11.
    6. PASSWORD CRACKINGTECHNIQUES Dictionary attacks • Develop a large dictionary of possible passwords and try each against the password file • Each password must be hashed using each salt value and then compared to stored hash values Rainbow table attacks • Pre-compute tables of hash values for all salts • A mammoth table of hash values • Can be countered by using a sufficiently large salt value and a sufficiently large hash length USER AUTHENTICATION 11
  • 12.
    12 7. USING BETTERPASSWORDS • Clearly have problems with passwords • Goal to eliminate guessable passwords • At the same time, easy for user to remember • Four basic techniques: 1. User education 2. Computer-generated passwords 3. Reactive password checking 4. Proactive password checking 1. User education: • Users can be told the importance of using hard-to-guess passwords. • Provide users with guidelines for selecting strong passwords. • Can be problematic when have a large user population. • Because many users will simply ignore the guidelines. USER AUTHENTICATION
  • 13.
    2. Computer-generated passwords: •Poor acceptance by users. • Random in nature, users will not remember. 3. Reactive password checking: • System periodically runs its own password cracker to find guessable passwords. • The system cancels any passwords that are guessed and notifies the user. • Can be costly in resources to implement. 4. Proactive password checking: • User selects own password which the system then checks to see if it is allowable and, if not, rejects it. 13USER AUTHENTICATION
  • 14.
    14 8. TOKEN AUTHENTICATION •Objects that a user possesses for the purpose of user authentication are called tokens. • Token are of different forms, they are: 1. Embossed: Raised characters only, on front, e.g. Old credit card. 2. Magnetic stripe: Magnetic bar on back, characters on front, e.g. Bank card. 3. Memory: Has Electronic memory inside, e.g. Prepaid phone card. 4. Smartcard: Has Electronic memory and processor inside, e.g. Biometric ID card USER AUTHENTICATION
  • 15.
    15 8.1 MEMORY CARD/ MAGNETIC STRIPS • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • With password/PIN for computer use • Drawbacks of memory cards include: – Need special reader – Loss of token issues – User dissatisfaction USER AUTHENTICATION
  • 16.
    16 8.2 SMARTCARD /EMBOSED • Credit-Card like • Has own processor, memory, I/O ports – Wired or wireless access by reader – May have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also have USB dongles USER AUTHENTICATION
  • 17.
    17 9. BIOMETRIC AUTHENTICATION •Authenticate user based on one of their physical characteristics • Biometric authentication system authenticates an individual based on unique • Physical characteristics like Fingerprints, hand geometry, facial characteristics, and retinal and iris patterns. • Dynamic characteristics like voiceprint and signature. USER AUTHENTICATION
  • 18.
    1. Facial characteristics: Characteristicsbased on location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. 2. Fingerprints: The pattern of ridges and furrows on the surface of the fingertip. 3. Hand geometry: Identify features of hand,: e.g. shape, lengths & widths of fingers. 4. Retinal pattern: Formed by veins beneath the retinal surface is unique. Uses digital image of the retinal pattern by projecting a low- intensity beam of visual or infrared light into the eye. 5. Signature: Each individual has a unique style of handwriting, especially in signature. 18USER AUTHENTICATION
  • 19.
    19 9.1 OPERATION OFA BIOMETRIC SYSTEM USER AUTHENTICATION
  • 20.
    Operation of abiometric system. • Each users must first be enrolled in the system. • For biometric system, the user presents a name and a password or PIN. • System senses some biometric characteristic of this user (e.g. fingerprint of right index finger). • The system digitizes the input and then extracts a set of features that can be stored as a number or set of numbers. • This set of numbers is referred to as the user’s template. • User authentication on a biometric system involves either verification or identification. • Verification is similar to a user logging on to a system by using a memory card or smart card coupled with a password or PIN. • In Identification process, the individual uses the biometric sensor but presents no additional information. • The system then compares the presented template with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected. 20USER AUTHENTICATION