User authentication

Document Sample
User authentication Powered By Docstoc
					    User authentication

How do we know that someone really
     is who they claim to be?
In the “days of yore” (typically, the era of your
  grandparents) a handshake was good enough
  to back up a deal … a person’s reputation
  was developed over time as he or she became
  known in the community … however, as a
  community becomes larger, and distance
  greater, it becomes necessary to provide
  formal documents that “vouchsafe” identity
  and character.
  Documentary proof of identity
The “usual” documents include
• Birth certificate
• Driver’s license (or alternative)
• Passport
Along with others – college id, credit card,
  even utility bills!
(What is needed to open a bank account
How reliable are such documents, in and of
 themselves? In the aggregate?
… consider, if you were so inclined, how
 could you build an alternate identity?
The Internet “community” is too large for
 people to know everyone else directly, and
 on-line “identities” such as ImAGoodGuy
 can be changed readily; the face-to-face
 methods aren’t available here to ascertain
 who someone is, how reliable they are, and
 what level of privilege is available to them.
The primary means to ascertain identity on
 computing systems is by means of a user ID
 and associated password or Personal
 Identification Number (PIN).
A login to a network computer account
 requires an ID and password, as does a dial-
 up session to an Internet Service Provider.
 Need some cash from an ATM? This, too,
 requires a card (with an account number)
 and associated password.
The use of passwords as the sole means of regulating
  access is a notoriously weak method of
  authentication. People choose passwords that are
  easy to remember, which generally means that they
  choose words or names that are familiar. This
  practice restricts the range of passwords to a
  fraction of what is possible, and by choosing
  passwords that might be found in a dictionary they
  become much more vulnerable to the most
  common techniques of computer hacking.
   Improving password security
• Disallow dictionary-based passwords
• Require combinations of upper and lower case
• Include non-alphabetic characters
• Require a minimum of, say, eight characters in a
  password, as short passwords are easier to crack
• Limit the number of unsuccessful login attempts
• Implement a password expiration program such
  that passwords expire at intervals (perhaps every
  thirty days, or even every day or after each
• Implement “challenge and response” strategies that
  require users to periodically reenter passwords
  (either the original or second-level personal data)
  during active secure sessions
• Ensure that passwords are encrypted for
  transmission across networks
• Implement a physical security inspection
  process that prevents “post-it” problems and
  related physical security leaks
Given that the password mechanism is so
 common, protecting everything from our
 computer files to our bank accounts, it is
 easy to overlook the fact that passwords
 don’t authenticate users at all; they merely
 indicate that someone knows the password!
 There is no actual verification that the
 person entering the code really is the person
 that they claim to be.
This is a staggering realization. Our most
 common method of user authentication
 does not really authenticate the users!
              Biometrics …
Situations and environments requiring high
  levels of security now rely on biometric
  methods to verify identity, with statistically
  higher levels of confidence … methods
  include fingerprinting, hand-scans, voice
  prints, retina scans, even DNA data.
Not all such techniques migrate readily to the
 Internet environment – why not?

Whatever method is chosen for the
 authentication of users, it should be
 relatively non-obtrusive, and, ideally,
 transparent to the user – unless the hassle
 factor is part of the security strategy!
           Online biometrics
One approach that is quite intriguing is that of
  “keystroke dynamics”. Consider that a weakness
  with the existing password system is that anyone
  can type in a correct password and gain admission
  to the system.
 Suppose, however, that the way that you type your
  password is also retained every time you log in:
  how long it takes to enter the password, the
  duration of each keystroke, and the delay between
  successive keystrokes.
Initially, the system is “loose”, allowing some
  variability in the entry, but as time goes on
  the data establishes a “tighter” range of
  acceptable patterns, and in so doing
  increases the probability that the person
  entering the password is the same one, every
  time. The user might never know that the
  system is in place, at least until the usual
  pattern is broken and the login rejected.
Early research suggests that keyboard dynamics, that
  is, the way that a user enters a password, can be
  more discriminating than the use of fingerprinting!
Similarly, graphical passwords have the same
  characteristics. Suppose that the authentication
  process requires that you physically write or draw
  your password. It would be difficult for a person to
  replicate someone else’s drawing, and even more
  difficult to draw it in the same way, with the
  identical sequence of pen strokes and flourishes.
the use of biometric techniques and the
  resulting stronger authentication associated
  with their use would prevent now-routine
  practices such as checking the e-mail of a
  co-worker while traveling, but then there
  are other, more reliable and accountable
  methods involving shared access privileges
  that would re-enable that sort of activity.
There is also the problem that any type of remote
  authentication has certain risks of “man-in-the-
  middle” sniffing and related “replay” attacks, such
  that prior login attempts might be captured and
  successfully resubmitted, but these too can be
  addressed using other methods involving time
  stamps and sequencing information.
And there’s always the possibility that if the
 biometric patterns are too rigidly enforced,
 an extra cup of coffee on the way to work
 might prevent a user from accessing his or
 her own account.
The need for user authentication commensurately
  increases as the degree to which users access
  privileged information or conduct financial
  transactions increases. A solution that requires a
  high level of confidence in the user authentication
  process will likely use several techniques in concert,
  so as to raise the probability of accurate
  authentication as close to 100% as is possible.
An interesting early paper on user
 authentication through keystroke analysis is:
 Fabian     Monrose     and    Avi   Rubin.
 Authentication via keystroke dynamics. In
 Proceedings of the 4th ACM Conference on
 Computer and Communications Security,
 pages 48-56, April 1997.
Graphical passwords are explored in: I.
 Jermyn, A. Mayer, F. Monrose, M. Reiter,
 A. Rubin, "The Design and Analysis of
 Graphical Passwords," In Proceedings of
 the 8th USENIX Security Symposium,
 Washington, D.C., August 1999.

Shared By:
liamei12345 liamei12345 http://