ACCESS CONTROL DEVICES
Successful access control system includes number of components, depending on system’s needs for authentication and authorization
Strong authentication requires at least two forms of authentication to authenticate the supplicant’s identity
The technology to manage authentication based on what a supplicant knows is widely integrated into the networking and security software systems in use across the IT industry
Authentication is validation of a supplicant’s identity
Four general ways in which authentication is carried out:
What a supplicant knows
What a supplicant has
Who a supplicant is
What a supplicant produces
Authorization: Are you allowed to do that?
Enforces limits on actions
Note: Access control often used as synonym for authorization
How to authenticate a human to a machine?
Can be based on…
Something you know
For example, a password
Something you have
For example, a smartcard
Something you are
For example, your fingerprint
Lots of things act as passwords!
Social security number
Mother’s maiden name
Date of birth
Name of your pet, etc.
Trouble with Passwords
“Passwords are one of the biggest practical problems facing security engineers today.”
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)”
Why is “something you know” more popular than “something you have” and “something you are”?
Cost: passwords are free
Convenience: easier for SA to reset pwd than to issue user a new thumb
Keys vs Passwords
Spse key is 64 bits
Then 264 keys
Choose key at random
Then attacker must try about 263 keys
Spse passwords are 8 characters, and 256 different characters
Then 2568 = 264 pwds
Users do not select passwords at random
Attacker has far less than 263 pwds to try (dictionary attack)
Good and Bad Passwords
Three groups of users ¾ each group advised to select passwords as follows
Group A: At least 6 chars, 1 non-letter
Group B: Password based on passphrase
Group C: 8 random characters
Group A: About 30% of pwds easy to crack
Group B: About 10% cracked
Passwords easy to remember
Group C: About 10% cracked
Passwords hard to remember
User compliance hard to achieve
In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!)
Assigned passwords sometimes best
If passwords not assigned, best advice is
Choose passwords based on passphrase
Use pwd cracking tool to test for weak pwds
Require periodic password changes?
Attacks on Passwords
Target one particular account
Target any account on system
Target any account on any system
Attempt denial of service (DoS) attack
Common attack path
Outsider ® normal user ® administrator
May only require one weak password!
Suppose system locks after 3 bad passwords. How long should it lock?
Until SA restores service
What are +’s and -’s of each?
Bad idea to store passwords in a file
But need a way to verify passwords
Cryptographic solution: hash the passwords
Store y = h(password)
Can verify entered password by hashing
If attacker obtains password file, he does not obtain passwords
But attacker with password file can guess x and check whether y = h(x)
If so, attacker has found password!
Attacker pre-computes h(x) for all x in a dictionary of common passwords
Suppose attacker gets access to password file containing hashed passwords
Attacker only needs to compare hashes to his pre-computed dictionary
Same attack will work each time
Can we prevent this attack? Or at least make attacker’s job more difficult?
Password Cracking:Do the Math
Pwds are 8 chars, 128 choices per character
Then 1288 = 256 possible passwords
There is a password file with 210 pwds
Attacker has dictionary of 220 common pwds
Probability of 1/4 that a pwd is in dictionary
Work is measured by number of hashes
Must try 256/2 = 255 on average
Just like exhaustive key search
Attack 1 password with dictionary
Expected work is about
But in practice, try all in dictionary and quit if not found work is at most 220 and probability of success is 1/4
Attack any of 1024 passwords in file
Assume all 210 passwords are distinct
Need 255 comparisons before expect to find password
If no salt, each hash computation gives 210 comparisons Þ the expected work (number of hashes) is 255/210 = 245
If salt is used, expected work is 255 since each comparison requires a new hash computation
Attack any of 1024 passwords in file
Probability at least one password is in dictionary is 1 - (3/4)1024 = 1
We ignore case where no pwd is in dictionary
If no salt, work is about 219/210 = 29
If salt, expected work is less than 222
Note: If no salt, we can precompute all dictionary hashes and amortize the work
Password cracking is too easy!
One weak password may break security
Users choose bad passwords
Social engineering attacks, etc.
The bad guy has all of the advantages
All of the math favors bad guys
Passwords are a big security problem
Password Cracking Tools
Popular password cracking tools
L0phtCrack and LC4 (Windows)
John the Ripper (Unix)
Admins should use these tools to test for weak passwords since attackers will!
Good article on password cracking
Passwords - Conerstone of Computer Security
“You are your key” ¾ Schneier
Gait (walking) recognition
“Digital doggie” (odor recognition)
Biometrics seen as desirable replacement for passwords
Cheap and reliable biometrics needed
Today, a very active area of research
Biometrics are used in security today
Palm print for secure entry
Fingerprint to unlock car door, etc.
But biometrics not too popular
Has not lived up to its promise (yet)
Universal ¾ applies to (almost) everyone
In reality, no biometric applies to everyone
Distinguishing ¾ distinguish with certainty
In reality, cannot hope for 100% certainty
Permanent ¾ physical characteristic being measured never changes
In reality, want it to remain valid for a long time
Collectable ¾ easy to collect required data
Depends on whether subjects are cooperative
Safe, easy to use, etc., etc.
ü Identification ¾ Who goes there?
Compare one to many
Example: The FBI fingerprint database
Authentication Is that really you?
Compare one to one
Example: Thumbprint mouse
Identification problem more difficult
More “random” matches since more comparisons
Examples of loops, whorls and arches
Minutia extracted from these features