ITIS 412: Information Security

Chapter 12: Authentication &

Account Management
Objectives
 Describe the different types of authentication
credentials
 Explain what single sign-on can do
 List the account management procedures for securing
passwords

2 ITIS 412
Introduction
 Authentication - Process of ensuring person desiring
to access resources is authentic (genuine) and not an
imposter
 Authentication - Proof of validity
 Because only real (“authentic”) person possesses one or more
of elements they confirm identity and can be used to prevent
access by imposter
 Authentication factors - Four elements can be
presented to IT system to verify genuineness of the
user
 all credentials can be classified into one of these five
categories
3 ITIS 412
Elements of Authentication
 Can demonstrate to be genuine or authentic by:
 What you have (Example: key fob to lock your car)
 What you are (Example: facial characteristics
recognized by health club attendant)
 What you know (Example: combination to health
club locker)
 Where you are (Example: on a restricted military
base)
 What you do (Example: record number of pushups)

4 ITIS 412
What You Know: Passwords
 User logging in to system:
 Asked to identify himself with username as
identifier
 Asked to authenticate himself with password as
secret combination of letters, numbers, and/or
characters that only user should have knowledge of
 Passwords most common type of authentication today
 Yet passwords provide only weak protection

5 ITIS 412
Passwords Weaknesses
 Most effective passwords are long and complex but
difficult for users to memorize and then accurately
recall when needed
 Users must remember passwords for many different
accounts
 Each account password should be unique
 Many security policies mandate that passwords expire
after set period of time, forcing users to repeatedly
memorize new passwords

6 ITIS 412
Weak Passwords
 Weak password - Passwords that use:
 Common word as password (princess)
 Short password (desk)
 Predictable sequence of characters (abc123)
 Personal information (Hannah)

7 ITIS 412
 Predictable Patterns
 To create stronger passwords users often follow predictable
patterns:
 Appending - Combine letters, numbers, and punctuation
(character sets) by appending one character set with
another so add number after letters (caitlin1 or cheer99)
or add character sets in sequence
letters+punctuation+number (amanda.7)
 Replacing - Zero used instead of letter o (passw0rd), digit
1 for letter i (denn1s), or dollar sign for s (be$tfriend)
 Attackers are aware of these patterns in passwords and can
search for them
8 ITIS 412
Password Reuse
 Common shortcut the same password for multiple
accounts
 Makes easier for an attacker who compromises one
account to access other accounts
 Analysis of one theft of 32 million user passwords:
 30 % of users had created passwords of only five or
six characters
 12 % of the user passwords were nine characters in
length
 One in every five users created password that was
one of the 5000 most common passwords
9 ITIS 412
Ten Most Common Passwords

10 ITIS 412
Attacks on Passwords
 Social engineering - Phishing, shoulder surfing,
dumpster diving
 Capturing - Keylogger, protocol analyzer, Man-in-the-
middle and replay attacks
 Resetting - Attacker gains physical access to computer
and resets password

11 ITIS 412
Offline Cracking
 Offline cracking - Method used by most password
attacks today
 One-way hash algorithm creates a unique digital
fingerprint digest when password first created
 When user logs in digest is created from entered
password and compared to stored digest
 With offline cracking attackers steal password digests,
load file onto own computers, and attempt to discover
passwords by comparing stolen digests with their own
created digests (candidates)

12 ITIS 412
Brute Force
 Brute force attack - Every possible combination of
letters, numbers, and characters is used to create
candidate digests then matched against those in stolen
digest file
 Automated brute force attack program parameters:
 Password length: eg. 1-15
 Character set
 Language
 Pattern: ? Replaces 1 symbol, * replaces multiple
 Skips: skip nonsensical combinations

13 ITIS 412
Dictionary Attack
 Dictionary attack - Attacker creating digests of
common dictionary words as candidates
 Pre-image attack - Dictionary attack that uses set of
dictionary words and compares it with stolen digests
when one known digest (dictionary word) compared
to an unknown digest (stolen digest)
 Birthday attack - Search is for any two digests that
are identical

14 ITIS 412
Dictionary Attack

15 ITIS 412
Hybrid Attack
 Hybrid attack - Variation of dictionary attack
 Combines dictionary attack with brute force attack
 Slightly alter dictionary words by:
 Adding numbers to the end of the password
 Spelling words backward
 Slightly misspelling words
 Including special characters (@,$,!, or %)

16 ITIS 412
Rainbow Tables
 Rainbow tables - Creating a large pregenerated data
set of candidate digests
 Generating a rainbow table requires a significant
amount of time
 Once created has significant advantages:
 Can be used repeatedly for attacks on other
passwords
 Rainbow tables are much faster than dictionary
attacks
 Amount of memory needed on attacking machine is
greatly reduced
17 ITIS 412
Password Collections
 Stolen passwords now posted on Internet provide key
elements for password attacks:
 Large amount of real-world passwords available;
because users repeat passwords on multiple
accounts, attackers now use these passwords as
candidate passwords in their attacks
 Password collections provided attackers insight into
strategic thinking of how users create passwords

18 ITIS 412
Password Defenses
 Four primary defenses against password attacks:
 Password complexity
 Credential management
 Password hashing algorithms
 Salts

19 ITIS 412
Password Complexity
 General observations regarding creating passwords:
 Do not use passwords that consist of dictionary
words or phonetic words
 Do not repeat characters (xxx) or use sequences
(abc, 123, qwerty)
 Do not use birthdays, family member names, pet
names, addresses, or any personal information
 Do not use short passwords; strong password should
be minimum of 15 characters in length

20 ITIS 412
Password Length
 Longer password is always more secure than a shorter
password
 Longer passwords require more attempts an attacker
must make in order to break it
 Number-of-Keyboard-Keys ^ Password-Length =
Total-Number-of-Possible-Passwords

21 ITIS 412
Number of Possible Passwords

22 ITIS 412
Nonkeyboard Characters
 Use nonkeyboard characters, or special characters that do
not appear on keyboard
 Characters are created by holding down ALT key while
simultaneously typing number on numeric keypad (but not
numbers across the top of keyboard)
 ALT + 0163 produces £ symbol

23 ITIS 412
Credential Management: Theft Prevention
 Must properly manage password credentials
 Defenses against the theft of password digests:
 Do not leave computer running unattended, even if
in locked office; all screensavers should be set to
resume only when password is entered
 Do not set a computer to boot from optical drive or
USB flash drive
 Password-protect ROM BIOS
 Physically lock computer case so that cannot be
opened

24 ITIS 412
Credential Management: Good Techniques
 Change passwords frequently
 Do not reuse old passwords
 Never write password down
 Have unique password for each account
 Do not allow computer to automatically sign into
account or record a password so login not necessary
 Do not enter passwords on public access computers or
while using an unencrypted wireless network

25 ITIS 412
Password Management Applications
 Secure solution to credential management is rely on
technology rather than human memory to store and
manage passwords
 Password management applications - Programs user
can create and store multiple strong passwords in
single user “vault” file protected by one strong master
password
 Users can retrieve individual passwords as needed by
opening user file, thus freeing user from need to
memorize multiple passwords
 Applications have multiple additional features

26 ITIS 412
Windows Password Hashing Algorithms
 Microsoft Windows operating systems hash
passwords in two ways:
 LM (LAN Manager) hash - Instead of encrypting
password with another key, password itself is key;
LM hash considered very weak function
 Not case sensitive
 Splits password into 2 parts 7 character long
 NTLM (New Technology LAN Manager) hash
 More secure password hash algorithm-HMAC
with md5
 Case sensitive- larger character set
27 ITIS 412
Key Stretching
 Key stretching - Specialized password hash
algorithms intentionally designed be slower to limit
ability of attacker to crack passwords because requires
significantly more time to create each candidate digest
 Two popular key stretching password hash algorithms
are bcrypt and PBKDF2
 Network administrator can specify number of
iterations (rounds), which sets how “expensive” (in
terms of computer time and/or resources) password
hash function is

28 ITIS 412
What is Digest authentication?

 Digest access authentication is one of the agreed-upon

methods a web server can use to negotiate credentials,
such as username or password, with a user's web browser.
 It applies a hash function to the username and password before
sending them over the network.
Enhanced hashed password using Salts
 Salt - Random string used in password hash
algorithms
 Passwords can be protected by adding random string
to user’s cleartext password before hashed
 Salt advantages:
 Make dictionary attacks and brute force attacks for
cracking large number of passwords much slower
 Limit impact of rainbow tables

30 ITIS 412
Enhanced hashed
passwords
using salt
Using
CRC32
In cryptography,
Hash Functions
a salt is random
data that is used
as an additional
input to a one-
way function that
"hashes" data, a
password or
passphrase.
What You Have: Tokens, Cards, and Cell
Phones
 Another type of authentication credential based on
approved user having specific item in possession
 Multifactor authentication - Using more than one
type of authentication credential
 Single-factor authentication - Using one type of
authentication credential
 Common items used for authentication:
 Tokens
 Cards
 Cell phones

32 ITIS 412
Tokens
 Token - Typically small device (usually one that can
be affixed to keychain) with window display
 Instead of user presenting password (what she
knows), token introduces different form of
authentication based on what person has (a token)
 One-time password (OTP) - Authentication code
that can be used only once or for limited period of
time

33 ITIS 412
Token Authentication
 A security token (sometimes called an authentication
token) is a small hardware device that the owner carries to
authorize access to a network service.
 The device may be in the form of a smart card or may be
embedded in a commonly used object such as a key chain

 Owner carries to authorize access to a network service.

34 ITIS 412
 Token Authentication Process
card or may be embedded in a commonly used object such as a key fob.

35 ITIS 412
Time-based One-time Password (TOTP)
 Time-based one-time password (TOTP) - Changes
after set time period
 Token and corresponding authentication server share
an algorithm (each user’s token has a different
algorithm)
 The token generates code from algorithm once every
30 to 60 seconds and valid for only brief period of
time
 User enters her username along with code currently
being displayed on token

36 ITIS 412
Time-based One-time Password (TOTP)

 The authentication factors used by the TOTP are:

 Something the user knows: The first authentication factor
requires something the user knows, such as the password for
the user’s single-sign-on user name.

 Something the user has: The second authentication factor

requires something the user has, such as a mobile device
running Google Authenticator to generate time-based one-time
passwords.

 TOTP – Changes after set number of seconds

37 ITIS 412
HMAC-based One-time Password (HOTP)
 HMAC-based one-time password (HOTP) is a one-
time password (OTP) algorithm based on HMAC
(hash-based message authentication code).

 The HOTP Password is “event-driven” and changes

when specific event occurs

 Example: when user enters personal identification

number (PIN) on token’s keypad triggers token to
create random code

38 ITIS 412
Token Advantages
 Standard passwords are static and do not change
unless user forced to create new password
 Tokens produce dynamic passwords that change
frequently
 User might not know if an attacker has stolen her
password
 If token is stolen, become obvious and steps could be
taken immediately to disable account

39 ITIS 412
Cards
 Smart card - Contains integrated circuit chip that can
hold information to be used as part of authentication
process
 Common access card (CAC) - U.S. Department of
Defense (DoD) smart card used for identification of
active-duty and reserve military personnel along with
civilian employees and special contractors
 Personal Identity Verification (PIV) – smart card
standard covering all U.S. government employees

40 ITIS 412
Smart Card Authentication Process

41 ITIS 412
Smart Card

42 ITIS 412
Smart Card Authentication Process

43 ITIS 412
Cell Phones
 Tokens and cards increasingly being replaced today
with cell phones
 Code can be sent to user’s cell phone through an app
on the device or as a text message when using TOTP
 Cell phones also allow user to send request via phone
to receive HOTP authorization code

44 ITIS 412
What You Are: Biometrics
 In addition to authentication based on what person
knows or has, another category rests on features and
characteristics of individual
 “What you are” authentication:
 Standard biometrics
 Cognitive biometrics

45 ITIS 412
Standard Biometrics
 Standard biometrics - Uses person’s unique physical
characteristics for authentication
 Fingerprint scanners most common type
 Face, hand, or eye characteristics also used
 Biometrics commonly used in physical security:
access to secure area restricted to only those who
fingerprint or retina is scanned

46 ITIS 412
Biometric Authentication
Biometric authentication
 Authenticate user based on one of their physical
characteristics:
 facial
 fingerprint
 hand geometry
 retina pattern
 iris
 signature
 voice

Verification is analogous to user login via a smart card and a PIN

Identification is biometric info but no IDs; system compares with
stored templates
Biometric Accuracy
 The system generates a matching score (a number) that quantifies similarity
between the input and the stored template
 Concerns: sensor noise and detection inaccuracy
 Problems of false match/false non-match
How Does Biometrics Work?
 Biometric by Characteristic Type

Verification is analogous to user login via a smart card and a PIN

Identification is biometric info but no IDs; system compares with stored templates
Disadvantages of Standard Biometrics
 Cost of hardware scanning devices
 Readers not foolproof
 Reject authorized users
 Accept unauthorized users
 Easily obtainable
 Once compromised cannot be reset

52 ITIS 412
Cognitive Biometrics
 Cognitive biometrics - uses the brain as a biometric
component. So it turns out the way you interact with your
keyboard, and the way you interact
 Related to perception, thought process, and understanding
of user
 Considered to be much easier for user to remember and
more difficult for attacker to imitate
 Examples:
 Picture gesture authentication (PGA) for touch-enabled
devices
 Identify specific faces
 Recall memorable event
53 ITIS 412
What You Do: Behavioral Biometrics
 Behavioral biometrics - Authentication based on
actions that user is uniquely qualified to perform
 Examples
 Keystroke dynamics
 Voice recognition

54 ITIS 412
Keystroke Dynamics
 Keystroke dynamics - Attempts to recognize user’s
typing rhythm
 All users type at different pace
 Provides up to 98 percent accuracy
 Uses two unique typing variables
 Dwell time - Time it takes to press and release a key
 Flight time - Time between keystrokes
 Multiple samples collected to form user typing
template that are used in authentication

55 ITIS 412
Typing Template

56 ITIS 412
Authentication by Keystroke Dynamics

57 ITIS 412
Voice Recognition
 Voice recognition - Several characteristics make each
person’s voice unique
 Voice template can be created
 Difficult for an attacker to authenticate using a
recording of user’s voice
 Phonetic cadence of putting words together is part of
real speech pattern

58 ITIS 412
Where You Are: Geolocation
 Geolocation - Identification of the location of person
or object using technology
 Geolocation may not uniquely identify user but can
indicate if attacker trying to perform malicious action
at location different from normal location
 If computer in China attempts to access user’s bank’s
website this may be an indication that an attacker
 Many websites not allow user to access an account the
computer is located, for example, in North Carolina
when normally access from Tennessee

59 ITIS 412
Single Sign-On
 Identity management - Using single authentication
credential shared across multiple networks
 Federated identity management (FIM) - When
networks are owned by different organizations
 Single sign-on (SSO) – One application of FIM using
one authentication credential to access multiple
accounts or applications
 Holds promise to reduce burden of usernames and
passwords to just one
 Examples popular SSOs: Microsoft Account, OpenID,
and OAuth
60 ITIS 412
Microsoft Account
 Introduced in 1999 as .NET Passport, then name
changed to Microsoft Passport Network, then
Windows Live ID, now Microsoft Account
 Designed as an SSO for Web commerce but today
serves as authentication system for different Microsoft
products
 Authentication process:
 User enters username and password
 User given time limited “global” cookie stored on
computer with encrypted ID tag
 ID tag sent to Web site
61 ITIS 412
OpenID
 OpenID - Decentralized open source FIM
 Does not require specific software to be installed on
the desktop
 URL-based identity system
 OpenID provides a means to prove a user owns the
URL
 One weakness is it depends on URL identifier routing
to correct server, which depends on domain name
server (DNS) that may have its own security
weaknesses

62 ITIS 412
Open Authorization (OAuth)
 Open Authorization (Oauth) - Permits users to share
resources stored on one site with second site without
forwarding authentication credentials
 Allows seamless data sharing among sites
 Relies on token credentials
 Replaces need to transfer user’s username and
password
 Tokens are for specific resources on a site for limited
time period

63 ITIS 412
Account Management
 Managing user account passwords can be done by
setting password rules
 Too cumbersome to manage on a user-by-user basis
 Security risk if one user setting is overlooked
 Preferred approach: assign privileges by group
 Microsoft Windows group password settings:
 Password Policy Settings
 Account Lockout Policy

64 ITIS 412
Password policy settings (Windows Group
Policy)

65 ITIS 412
Account lockout policy settings (Windows
Active Directory)

66 ITIS 412