New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Lecture 6 - Chapter 3: User Authentication

by: Leslie Ogu

Lecture 6 - Chapter 3: User Authentication CSCI 4531

Marketplace > George Washington University > Computer science > CSCI 4531 > Lecture 6 Chapter 3 User Authentication
Leslie Ogu
GPA 3.01

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

We begin our discussion around the authentication process, and how users are granted access to certain domains, or systems. Typically, there is a process of password checking with a given username ...
Computer Security
Mohamed Tamer Abdelrahman Refaei
Class Notes
Computer, Security, User, authentication, password, username, system, Database, salt, Cracking, rainbow, tables, complex, file, Access, control, Checking, bloom, Filters, UNIX, vulnerabilities
25 ?




Popular in Computer Security

Popular in Computer science

This 5 page Class Notes was uploaded by Leslie Ogu on Friday October 7, 2016. The Class Notes belongs to CSCI 4531 at George Washington University taught by Mohamed Tamer Abdelrahman Refaei in Fall 2016. Since its upload, it has received 6 views. For similar materials see Computer Security in Computer science at George Washington University.

Similar to CSCI 4531 at GWU

Popular in Computer science


Reviews for Lecture 6 - Chapter 3: User Authentication


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/07/16
Leslie Ogu CSCI 4531 10/04/2016 - ​Chapter 3: User Authentication RFC 4949 ● RFC 4949 defines user authentication as: “The process of verifying an identity claimed by or for a system entity” Authentication Process ● Fundamental building block and primary line of defense ● Basis for access control and user accountability ● Identification Step ○ Presenting an identifier to the security system ● Verification Step ○ Presenting or generating authentication information that corroborates the binding between the entity and the identifier The four means of authenticating user identity based on: ● Something the individual knows ○ Password, PIN, answers to prearranged questions ● Something the individual possesses (token) ○ Smartcard, electronic keycard, physical key ● Something the individual is (static biometrics) ○ Fingerprint, retina, face ● Something the individual does (dynamic biometrics) ○ Voice pattern, handwriting, typing rhythm ○ ** This is dynamic because it varies ** Risk Assessment for User Authentication ● There are 3 separate concepts: ○ Assurance Level ○ Potential Impact ○ Areas of Risk Assurance Level + Describes an organization’s degree of uncertainty that a user has presented a credential that refers to his or her identity + More specifically is defined as: + The degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued + The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued + Four Levels of Assurance: + Level 1: Little or no confidence in the asserted identity’s validity + Level 2: Some confidence in the asserted identity’s validity + Level 3: High confidence in the asserted identity’s validity + Level 4: Very high confidence in the asserted identity’s validity Potential Impact + FIPS 199 defines the 3 levels of potential impact on organizations or individuals should there be a breach of security: + Low + An authentication error could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals + Moderate + An authentication error could be expected to have a serious, adverse effect + High + An authentication error could be expected to have a severe, or catastrophic, adverse effect Password Authentication + Widely used line of defense against intruders + Users provide name/login and password + System compares password with the one stored for that specific login + The user ID: + Determines that the user is authorized to access the system + Determines the user’s privileges + Is used in discretionary access control Password Vulnerabilities - Offline dictionary attack - Specific account attack - Popular password attack - Password guessing against single user - Workstation hijacking - Exploring user mistakes - Exploiting multiple password use - Electronic monitoring There is a diagram on hashing and salt in the slides ● The salt is something randomly generated (could be anything - letters, numbers, characters, etc - that is added to the hash to make something more secure) UNIX Implementation ● Original Scheme ○ Up to eight printable characters in length ○ 12-bit salt used to modify DES encryption into a one-way hash function ○ Zero value repeatedly encrypted 25 times ○ Output translated to 11 character sequence ● Now regarded as inadequate ○ Still often required for compatibility with existing account management software or multivendor environments Improved Implementations + Much stronger hash / salt schemes available for Unix + Recommended hash function is based on MD5 + Salt of up to 48-bits + Password length is unlimited + Produces 128-bit hash + Uses an inner-loop with 1000 iterations to achieve slowdown + OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt + Most secure version of Unix hash / salt scheme + Uses 128-bit salt to create 192-bit hash value Password Cracking - Dictionary Attacks - Develop a large dictionary of possible passwords and try against the password file - Each password must be hashed using each salt value and then compared to stored hash values - Password Crackers exploit the fact people choose easily guessable password - Shorter password lengths are easier to crack - Rainbow Table Attacks - Pre-compute tables of hash values for all salts - A mammoth table of hash values - Can be countered by using a sufficiently large salt value and a sufficiently large hash length - John the Ripper - Open-source password cracker first developed in 1996 - Uses a combination of brute-force and dictionary techniques Password Resilience to Cracking + Define a metric of how well the system can withstand dictionary attacks + Could be function of time + Anderson’s formula + Information Security in a Multi-User Computing Environment, Advances in computers in 1972 + We want to estimate P, where P is the probability of guessing a password in specified period of time given: + G number of guesses tested in 1 time unit + T number of time units + N number of possible passwords (| A |) TG + We can estimate: P ≥ N Example of this is in slides Modern Approaches + Complex password policy + Forcing users to pick stronger passwords + However, password-cracking techniques have also improved: + The processing capacity available for password cracking has increased dramatically + A PC running a single AMD Radeon HD7970 GPU, for instance, can try an average 8.2 * 109 password combinations each second + The use of sophisticated algorithms to generate potential passwords + Studying examples and structures of actual passwords in use Password File Access Control + Can block offline guessing attacks by denying access to encrypted passwords + Make available only to privileged users + Shadow password file + Vulnerabilities + Weakness in the OS that allows access to the file + Accident with permissions making it readable + Users with same password on other systems + Access from backup media + Sniff passwords in network traffic Password Selection Strategies ● User education ○ Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords ● Computer generated passwords ○ Users have trouble remembering them ● Reactive password checking ○ System periodically runs its own password cracker to find guessable passwords ● Complex password policy ○ User is allowed to select their own password; however, the system checks to see if the password is allowable, and if not, rejects it ○ Goal is to eliminate guessable passwords while allowing the user to select a password that is memorable Proactive Password Checking ● Password Cracker ○ Compile a large dictionary of passwords not to use ● Rule Enforcement ○ Specific rules passwords must adhere to ● Bloom Filter ○ Used to build a table based on dictionary using hashes ○ Check desired password against table Bloom Filters ● Filter of order k has k independent hash functions ○ H ix),1 <= i <= k ○ Each hash function maps x to a value [0, N-1] ● Given a dictionary of D words ● A table T of 1 x N is defined ○ T(N) is value of column N ● For each given word w in the dictionary D, calculate ○ w = H (w), 1 <= i <= k i i ○ Set T(w) =i1


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Amaris Trozzo George Washington University

"I made $350 in just two days after posting my first study guide."

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.