The Authentication Process
Authentication usually
operates as described previously. However, users occasionally mistype their
passwords. A user who receives a message of INCORRECT LOGIN will carefully retype
the login and gain access to the system. Even a user who is a terrible typist
should be able to log in successfully in a few tries.
Some authentication
procedures are intentionally slow. A legitimate user will not complain if the
login process takes 5 or 10 seconds. To a penetrator who is trying an
exhaustive search or a dictionary search, however, 5 or 10 seconds per trial
makes this class of attack generally infeasible.
Someone whose login attempts continually fail
may not be an authorized user. Systems commonly disconnect a user after a small
number of failed logins, forcing the user to reestablish a connection with the
system. (This action will slow down a penetrator who is trying to penetrate the
system by telephone. After a small number of failures, the penetrator must
reconnect, which takes a few seconds.)
Sidebar
4-4: Single Sign-On
Authenticating to multiple systems is
unpopular with users. Left on their own, users will reuse the same password to
avoid having to remember many different passwords. For example, users become
frustrated at having to authenticate to a computer, a network, a mail system,
an accounting system, and numerous web sites. The panacea for this frustration
is called single sign-on. A user
authenticates once per session, and the system forwards that authenticated
identity to all other processes that would require authentication.
Obviously, the strength of single sign-on
can be no better than the strength of the initial authentication, and quality
diminishes if someone compromises that first authentication or the transmission
of the authenticated identity. Trojan horses, sniffers and wiretaps,
man-in-the-middle attacks, and guessing can all compromise a single sign-on.
Microsoft has developed a single sign-on
solution for its .net users. Called a "passport," the single sign-on
mechanism is effectively a folder in which the user can store login credentials
for other sites. But, as the market research firm Gartner Group points out [PES01],
users are skeptical about using single sign-on for the Internet, and they are
especially wary of entrusting the security of credit card numbers to a single
sign-on utility.
Although a desired feature, single
sign-on raises doubt about what a computer is doing on behalf of or in the name
of a user, perhaps without that user's knowledge.
In more secure installations,
stopping penetrators is more important than tolerating users' mistakes. For
example, some system administrators assume that all legitimate users can type
their passwords correctly within three tries. After three successive password
failures, the account for that user is disabled and only the security
administrator can reenable it. This action identifies accounts that may be the
target of attacks by penetrators.
Fixing Flaws in the Authentication Process
Password authentication
assumes that anyone who knows a password is the user to whom the password
belongs. As we have seen, passwords can be guessed, deduced, or inferred. Some
people give out their passwords for the asking. Other passwords have been obtained
just by someone watching a user typing in the password. The password can be
considered as a preliminary or first-level piece of evidence, but skeptics will
want more convincing proof.
There are several ways to
provide a second level of protection, including another round of passwords or a
challengeresponse interchange.
ChallengeResponse Systems
As we have just seen, the
login is usually time invariant. Except when passwords are changed, each login
looks like every other. A more sophisticated login requires a user ID and
password, followed by a challengeresponse interchange. In such an interchange,
the system prompts the user for a reply that will be different each time the
user logs in. For example, the system might display a four-digit number, and the
user would have to correctly enter a function such as the sum or product of the
digits. Each user is assigned a different challenge function to compute.
Because there are many possible challenge functions, a penetrator who captures
the user ID and password cannot necessarily infer the proper function.
A physical device similar to
a calculator can be used to implement a more complicated response function. The
user enters the challenge number, and the device computes and displays the
response for the user to type in order to log in. (For more examples, see Chapter 7's discussion of network
authentication.)
Impersonation of Login
In the systems we have
described, the proof is one-sided. The system demands certain identification of
the user, but the user is supposed to trust the system. However, a programmer
can easily write a program that displays the standard prompts for user ID and
password, captures the pair entered, stores the pair in a file, displays SYSTEM
ERROR; DISCONNECTED, and exits. This attack is a type of Trojan horse.
The perpetrator sets it up,
leaves the terminal unattended, and waits for an innocent victim to attempt a
login. The naïve victim may not even suspect that a security breach has
occurred.
To foil this type of attack,
the user should be sure the path to the system is reinitialized each time the
system is used. On some systems, turning the terminal off and on again or
pressing the BREAK key generates a clear signal to the computer to halt any
running process for the terminal. (Microsoft chose <CTRLALTDELETE> as the
path to the secure authorization mechanism for this reason.) Not every computer
recognizes power-off or BREAK as an interruption of the current process,
though. And computing systems are often accessed through networks, so physical
reinitialization is impossible.
Alternatively, the user can
be suspicious of the computing system, just as the system is suspicious of the
user. The user will not enter confidential data (such as a password) until
convinced that the computing system is legitimate. Of course, the computer
acknowledges the user only after passing the authentication process. A
computing system can display some information known only by the user and the
system. For example, the system might read the user's name and reply "YOUR
LAST LOGIN WAS 10 APRIL AT 09:47." The user can verify that the date and
time are correct before entering a secret password. If higher security is
desired, the system can send an encrypted timestamp. The user decrypts this and
discovers that the time is current. The user then replies with an encrypted
timestamp and password, to convince the system that a malicious intruder has
not intercepted a password from some prior login.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.