Document Sample
Authentication-I Powered By Docstoc
   Identification - a claim about identity
     – Who or what I am (global or local)
   Authentication - confirming that claims are true
     – I am who I say I am
     – I have a valid credential
   Authorization - granting permission based on a valid claim
     – Now that I have been validated, I am allowed to access certain
       resources or take certain actions
   Access control system - a system that authenticates users and
    gives them access to resources based on their authorizations
     – Includes or relies upon an authentication mechanism
     – May include the ability to grant course or fine-grained
       authorizations, revoke or delegate authorizations

                                        Slides modified from Lorrie Cranor, CMU
Building blocks of
   Factors
    – Something you know (or recognize)
    – Something you have
    – Something you are
   Mechanisms
    –   Text-based passwords
    –   Graphical passwords
    –   Hardware tokens
    –   Public key crypto protocols
    –   Biometrics
Two factor systems

   Two factors are better than one
    – Especially two factors from different categories

Question: What are some examples of two-
 factor authentication?

   Accessibility
   Memorability
    – Depth of processing, retrieval, meaningfulness
   Security
    – Predictability, abundance, disclosure,
      crackability, confidentiality
   Cost
   Environmental considerations
    – Range of users, frequency of use, type of
      access, etc.
Typical password advice
Typical password advice
   Pick a hard to guess password
   Don’t use it anywhere else
   Change it often
   Don’t write it down
    – Do you?
Problems with Passwords
   Selection
     – Difficult to think of a good password
     – Passwords people think of first are easy to guess
   Memorability
     – Easy to forget passwords that aren’t frequently used
     – Difficult to remember “secure” passwords with a mix of upper &
       lower case letters, numbers, and special characters
   Reuse
     – Too many passwords to remember
     – A previously used password is memorable
   Sharing
     – Often unintentional through reuse
     – Systems aren’t designed to support the way people work
       together and share information
                  How Long does it take to
                  Crack a Password?
                        Brute force attack
                        Assuming 100,000 encryption operations per second
                        FIPS Password Usage
                           – 3.3.1 Passwords shall have maximum lifetime of 1 year
                              26 Characters        36 Characters                52 Characters             68 Characters                       94 Characters
                                                                                                      single case letters with digits,    all displayable ASCII characters
                                lower case         letters and digits          mixed case letters       symbols and punctuation             including mixed case letters
                       3 0.18 seconds         0.47 seconds                 1.41 seconds             3.14 seconds                         8.3 seconds
Password Length

                       4 4.57 seconds         16.8 seconds                 1.22 minutes             3.56 minutes                         13.0 minutes
                       5 1.98 minutes         10.1 minutes                 1.06 hours               4.04 hours                           20.4 hours
                       6 51.5 minutes         6.05 hours                   13.7 days                2.26 months                          2.63 months
                       7 22.3 hours           9.07 days                    3.91 months              2.13 years                           20.6 years
                       8 24.2 days            10.7 months                  17.0 years               1.45 centuries                       1.93 millennia
                       9 1.72 years           32.2 years                   8.82 centuries           9.86 millennia                       182 millennia
                      10 44.8 years           1.16 millennia               45.8 millennia           670 millennia                        17,079 millennia
                      11 11.6 centuries       41.7 millennia               2,384 millennia          45,582 millennia                     1,605,461 millennia
                      12 30.3 millennia       1,503 millennia              123,946 millennia        3,099,562 millennia                  150,913,342 millennia

The Password Quiz

   What is your score?
   Do you agree with each piece of
   What is most common problem in the
   Any bad habits not addressed?
        Check your password


         Question: Why don’t all sites do this?
Text-based passwords

   Random (system or user assigned)
   Mnemonic
   Challenge questions (semantic)

   Anyone ever had a system assigned
    random password? Your experience?
          Mnemonic Passwords
   F          and seven y
   Four score and seven years ago, our Fathers
        s                     a    o F

          First letter of each word (with

          Substitute numbers for words
          or similar-looking letters        fsasya,oF

          Substitute symbols for words
          or similar-looking letters

Source: Cynthia Kuo, SOUPS 2006
          The Promise?

             Phrases help users incorporate
              different character classes in
                – Easier to think of character-for-word
             Virtually infinite number of phrases
             Dictionaries do not contain mnemonics

Source: Cynthia Kuo, SOUPS 2006
Memorability of Password
   Goal
    – examine effects of advice on password
      selection in real world
   Method: experiment
   independent variables?
          Advice given
   Dependent variables?
          Attacks, length, requests, memorability
Study, cont.

   Conditions
    – Comparison
    – Control
    – Random password
    – Passphrase (mnemonic)
   Students randomly assigned
   Attacks performed one month later
   Survey four months later
   All conditions longer password than comparison
   Random & passphrase conditions had significantly
    fewer successful attacks
   Requests for password the same
   Random group kept written copy of password for
    much longer than others
   Non-compliance rate of 10%

What are the implications?
What are the strengths of the study? Weaknesses?
          Mnemonic password
             Mnemonic passwords are not a panacea, but are an
              interesting option
                – No comprehensive dictionary today
             May become more vulnerable in future
                – Users choose music lyrics, movies, literature, and
                – Attackers incentivized to build dictionaries
             Publicly available phrases should be avoided!

          C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic
             Phrase-Based Passwords. In Proceedings of the 2006 Symposium On
             Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

Source: Cynthia Kuo, SOUPS 2006
Password keeper
   Run on PC or handheld
   Only remember one password

   How many use one of these?
   Advantages?
   Disadvantages?
“Forgotten password”
   Email password or magic URL to address on file
   Challenge questions
   Why not make this the normal way to access
    infrequently used sites?
Challenge Questions

   Question and answer pairs
   Issues:
    – Privacy: asking for personal info
    – Security: how difficult are they to guess and
    – Usability: answerable? how memorable? How

What challenge questions have you seen?
Challenge questions

   How likely to be guessed?
   How concerned should we be about
    – Shoulder surfing?
    – Time to enter answers?
    – A knowledgeable other person?
    – Privacy?
Graphical Passwords
   We are much better at remembering
    pictures than text
   User enters password by clicking on on the
    – Choosing correct set of images
    – Choosing regions in a particular image
   Potentially more difficult to attack (no

   Anyone ever used one?

                   Choose a series of
                      – Random[1]
                      – Passfaces[2]
                      – Visual passwords (for
                        mobile devices)[3]
                      – Provide your own
1.   R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in
     Proceedings of 9th USENIX Security Symposium, 2000.
3.   W. Jansen, et al, "Picture Password: A Visual Login Technique for Mobile Devices," National Institute of
     Standards and Technology Interagency Report NISTIR 7030, 2003.

                   Click on regions of
                      – Blonder’s original idea:
                        click on predefined
                        regions [1]
                      – Passlogix – click on
                        items in order [2]
                      – Passpoints – click on
                        any point in order [3]
1.   G. E. Blonder, "Graphical passwords," in Lucent Technologies,
     Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996.
3.   S. Wiedenbeck, et al. "Authentication using graphical passwords:
     Basic results," in Human-Computer Interaction International
     (HCII 2005). Las Vegas, NV, 2005.

   Freeform
    – Draw-a-Secret (DAS)
    I. Jermyn, et al. "The Design and Analysis of
        GraphicalPasswords," in Proceedings of the 8th
        USENIX SecuritySymposium, 1999.

    – Signature drawing
            Theoretical Comparisons
                Advantages:                                            Disadvantages
                  – As memorable or more                                   – Time consuming
                    than text                                              – More storage and
                  – As large a password                                      communication
                    space as text passwords                                  requirements
                  – Attack needs to                                        – Shoulder surfing an
                    generate mouse output                                    issue
                  – Less vulnerable to                                     – Potential interference if
                    dictionary attacks                                       becomes widespread
                  – More difficult to share

See a nice discussion in: Suo and Zhu. “Graphical Passwords: A Survey,” in the Proceedings of the 21st Annual Computer
Security Applications Conference, December 2005.
How do they really
   Many studies of various schemes…
   Faces vs. Story
    – Method: experiment
          independent – participant race and sex, faces or story
          Dependent – types of items chosen, liklihood of attack
    – Real passwords – used to access grades, etc.
    – Also gathered survey responses
    – Results:
          we are highly predictable, particularly for faces
          Attacker could have succeeded with 1 or 2 guesses for
           10% of males!

    – Implications?
          Other examples

             Passpoints predictable too!

             Can predict or discover hot spots to
              launch attacks.
Julie Thorpe and P.C. van Oorschot. Human-Seeded Attacks and
Exploiting Hot-Spots in Graphical Passwords, in Proceedings of 16th USENIX Security Symposium, 2007.
         Other uses of images

            CAPTCHA – differentiate between
             humans and computers
              – Use computer generated image to
                guarantee interaction coming from a
              – An AI-hard problem

Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. “CAPTCHA: Using Hard AI Problems for
Security,” In Advances in Cryptology, Eurocrypt 2003.
More food for thought

   How concerned should we be about
    the weakest link/worse case user?
    – Do we need 100% compliance for good
      passwords? How do we achieve?
   What do you think of “bugmenot”
   Is it possible to have authorization
    without identification?
Project Groups
   3 groups of 4, 1 group of 3
   Form your group by the END of class next
   Preliminary user study of privacy or security
    application, mechanism, or concerns
   Deliverables:
    –   Idea
    –   Initial plan 5 points
    –   Plan 20 points
    –   Report 20 points
    –   Presentation 5 points
Project Ideas
   Start with a question or problem…
    – Why don’t more people encrypt their emails?
    – How well does product X work for task Y?
    – What personal information do people expect to
      be protected?
   Flip through chapters in the book & papers
    – Follow up on existing study
   Examine your own product/research/idea
   Examine something you currently find
    frustrating, interesting, etc.
A Look Ahead

   Next week: User studies
    – pay attention to the method of study in
      your readings
    – ALSO: observation assignment
   Two weeks – rest of authentication
    – ALSO: project ideas due
Next week’s assignment

   Observe people using technology
    – Public place, observe long enough for
      multiple users
    – Take notes on what you see
          Think about privacy and security, but observe
           and note everything
    – Write up a few paragraphs describing
      your observations

   Don’t forget IRB certification