Network Security – Authentication – Computer Science

In real world, driver licenses are used to do authentication. Explain why a scanned-in digital copy of a driver license cannot be used by a server to authenticate the owner (of the driver license) and let him login into the server? Please provide full explaination utilizing attached documents to the fullest.

Published on IST 554 (

Lesson 1: Understanding Authentication
In general, authentication is a process to confirm the identity of a user requesting service or a
message sender, and also the integrity of specific information.

Authentication is common in the real world (e.g., you need a photo ID to board an airplane). A more
complicated example is online banking. Suppose you need to transfer a certain amount of money
from one account to another on the Internet. You need to first prove your identity before you are
allowed to transfer your money, thus you confirm the authenticity of the transaction.

In computer security, authentication is handled electronically. The most basic technology involves a
username (or user ID) and a password for identity authentication. Now this procedure has evolved to
include other methods to confirm identity, such as biometrics and smart cards. Even stronger
authentication technologies such as Kerberos have also become popular.

This lesson describes basic concepts of identity authentication and message authentication. It then
briefly discusses three different techniques to prove a user’s identity. It ends with the discussion of
different models used by computer systems or participants of communications to perform

Lesson objectives:

Explain identity authentication and provide an example.
Explain message authentication and provide an example.
Discuss different authentication methods for proving identity.
Describe different authentication models.

Identity Authentication
Identity authentication is a process to verify whether someone is authorized to complete the
transaction they intend. This is commonly confirmed via user ID and passwords in most of today’s
computer systems.

To initially access a system, a user registers, using a unique ID and password. Subsequently, when
the user attempts to access the system, the system checks to make sure the user ID and password
are registered and acceptable. In the real world, this is equivalent to providing a confirmation
number for registration when checking into a hotel. Hotel management is ensuring that the
reservation is being released to the correct guest.

Figure 5.1: User Identity Authentication

Let’s look at an example, as shown in Figure 5.1, in which a user, Alice, wishes to use her computer
(client) to update a file of her own on a remote file server. The server will first make sure the user is,
in fact, Alice, before it allows the update.

The process generally works in the following manner:

1. Alice starts a client program on her computer such as telnet or ftp.
2. The client program prompts for her user ID and password.

Contact Webmaster

© Copyright 2013 College of IST

Page 1 of 6

Published on IST 554 (

3. Alice fills in her unique credentials (user ID and password).
4. The client program encodes or prearranges the credentials and sends it to the remote server.
5. The remote server compares the received credentials to its own copy of user accounts and

grants Alice access to the resources if Alice has provided the correct ID and password.

This process is referred to as one-way authentication and it assumes that the remote computer is
trustable and requires only Alice to prove her identity to the server. However, Alice may want to
verify the identity of the server before she works with private data. Thus, the authentication system
needs a way for the client program to authenticate the server before communication starts. This
requires two-way authentication, or mutual authentication. Kerberos authentication system supports
mutual authentication. This will be discussed in more detail later.

Message Authentication

Figure 5.2: Message Authentication Example

Message authentication provides two services: message origin authentication and message content
authentication. Message authentication verifies that the received message comes from the alleged
sender as well as provides integrity assurance that the message has not been altered or replaced in

Figure 5.2 illustrates an example where message authentication is desirable. In the example, Alice
wants to send John a message. Because the message has to travel across an open public network
(e.g., the Internet), John would want to make sure that the received message is truly from Alice and
that the message has not been altered on its way from Alice to John.

With the development of networking, message authentication has become more critical. When a
sender sends a message across the Internet, outside parties may intercept the message and alter it,
substitute an entirely different message for the original message, or even insert messages of their
own. In these circumstances, it is critical that the intended recipient has tools to determine the
source of the message and the integrity of the message. Digital signature technology, based on
public-key cryptography, provides this type of message authentication. We will discuss this in more
detail later.

Identity Authentication Methods

Contact Webmaster
© Copyright 2013 College of IST

Page 2 of 6

Published on IST 554 (

Authentication is generally based on one of the following three factors:

Who you are (e.g., fingerprint, face, voice, retinal pattern).
What you know (e.g., a password, your mother’s maiden name, your birthday).
What you own (e.g., ID card, security token).

The key factor in identity authentication is the proof offered by an individual to confirm his or her
identity. Sometimes a combination of different factors is used, e.g., an ATM card and a Personal
Identification Number (PIN) or a security token and a password. This is referred to as a two-factor
authentication method.

The following three methods for identity authentication depend on different authentication factors:


The simplest method of authenticating identity is to use an ID and password combination, which is
based on confidential personal, knowledge. Other people may know a user’s ID, but only the user
knows the password. The user provides their ID and secret password upon request when interacting
with a server or a recipient.

The server is programmed to save a copy of the user’s password so it can compare the received
password with its own copy. Passwords are often stored in an encrypted form so that a compromised
password file does not reveal passwords directly. The problem with a password-based system is that
passwords can be easily stolen or intercepted in a network environment, or a user might not keep
their password secret. This threatens the security of the network, allowing hackers access to a
system or unauthorized internal transactions.

Biometrics Method

Biometrics authentication technology determines the identity of an individual by comparing a
person’s physiological features, such as voice pattern, fingerprint, facial pattern, iris, etc., with what
has been previously recorded for that person.

Using biometrics, a person initially registers with the system using one or more physiological
measurements that are turned into numerical data via statistical and mathematical methods. The
user’s login is successful if the features match what the system originally has recorded.

Contact Webmaster
© Copyright 2013 College of IST

Page 3 of 6

Published on IST 554 (

Biometrics relieves the user from having to choose and memorize different passwords. However,
biometrics is not secure unless combined with cryptography because the measurement converted
from physical features is still recorded numerically, thus having the same vulnerabilities as other
numerical data. From this aspect, the Smart Card Method is more secure and an efficient
complement of biometrics.

Smart Cards

Smart cards technology is used to provide strong security protection and authentication. It is based
on all three authentication factors.

A smart card is a credit-card-sized plastic card embedded with a microprocessor that can be
programmed with specific information about the card owner, such as personal biometric data,
medical history, and cryptographic keys for authentication, etc. The microprocessor has both
computational power and memory capacity. It processes data and grants other devices access to the
data on the card.

In the smart card’s authentication system, a smart card is treated as an active computing device.
The card communicates with the host, that then determines if the card presents the appropriate
credentials or requirements to conduct a transaction in the system. The process confirms identity
and authenticates the cardholder.

Smart cards can potentially be applied to many areas, such as credit card transactions, banking,
government identification, and so on. For example, in Germany, smart cards are used for health
insurance. Smart cards improve the convenience of security transactions. They provide tamper-proof
storage of user identity and support secure exchange of data throughout virtually any type of

WARNING: Some information in the smart card can be vulnerable to attack by hackers, and
attacks can happen when data is being transmitted between the card and the host.

Related Links
Card Technology [1]: A bimonthly magazine that deals with smart card, payment, and
identification technologies.

International Biometric Group [2]: A biometric solutions provider, as well as conference organizer
and a leader in the field.

Biometric Consortium [3]: The biometric consortium dealing with research, development, testing,
evaluation, and application of biometric technology. [4]: A government-sponsored database on biometric information and reports.

Authentication Models
In general, all authentication systems are based on using secret information (e.g., passwords or
cryptographic key) known only to, or possessed by, participants of communications to determine
identities and message integrity. Authentication methods focus on how to represent a participant’s
identity, whereas authentication models are concerned with how two parties in a communication
interact and prove each other’s identity.

The following authentication models use password-based authentication: basic authentication,

Contact Webmaster
© Copyright 2013 College of IST

Page 4 of 6

Published on IST 554 (

Kerberos protocol, and public key cryptography.

Basic Authentication

A basic authentication scheme is based on the model that the user supplies an ID and password to
the server in order to be authenticated. The server validates the user ID and password before
authorizing the request. There are no other authentication parameters involved.

Basic authentication assumes that the connection between the client and the server is safe, thus no
encryption is used and all transactions are conducted in clear text. This is vulnerable to
eavesdroppers monitoring network traffic with sniffing tools. Captured passwords can be used later
by a hacker to illegally log on to the server. This is known as a replay attack. A better approach is to
encrypt the password before sending it to the server for verification.

The one-time password (OTP) system is designed to eliminate the possibility of replay attack. In an
OTP system, a series of one-time passwords are generated, but only one of them is used each time,
and it should never be used again. The OTP system will be explored later.

Kerberos Protocol

Kerberos is a network authentication protocol that supports more robust and trustworthy
authentication in highly networked and distributed environments. It relies on the use of the
symmetric cryptography technique (i.e., DES) to protect authenticating information as it travels
across the network. In the Kerberos system, the secret information used for authentication is never
transmitted unencrypted and is never seen by a recipient. Therefore, it can prevent password
attacks such as eavesdropping, replay attacks, and ensure data integrity. More will be discussed
about Kerberos later.

Public-Key Cryptography

Public-key cryptography is a form of cryptography that allows users to communicate securely
through the use of a public key and private key pair. The private key is kept secret while the public
key is made publicly available.

The following are some applications using public key cryptography:

Public-key encryption: Keeps a message unreadable from anyone who does not possess a
correct private key.
Public-key one-time password system: Generates one-time passwords based on a
method known as challenge response.
Public-key digital signature: Allows anyone to validate that a message was created with a
specific private key.

Lesson Wrap-Up
Access to most computer systems today is controlled by using an authentication procedure before
access is allowed. Authentication technology is an important component in an application’s security
model. It provides reliable verification of the identity of a person and the origin and integrity of a

Different companies have different security requirements for authentication. It is sensible to use a
stronger and more secure authentication solution to protect mission-critical services and trade
secrets. In this lesson, we have learned that authentication can be achieved using different methods
and models. We will discuss these methods and models in more detail in the next few lessons.

After reading this lesson, you should be able to:

Contact Webmaster
© Copyright 2013 College of IST

Page 5 of 6

Published on IST 554 (
Explain identity authentication and provide an example.
Explain message authentication and provide an example.
Discuss different authentication methods for proving identity.
Describe different authentication models.

Source URL:


Powered by TCPDF (

Contact Webmaster
© Copyright 2013 College of IST

Page 6 of 6

Published on IST 554 (

Lesson 2: Passwords
The early approach to identity authentication was to use user-login systems that used usernames,
identifiers (IDs), and passwords. This system has been used for quite a while because it provides a
basic level of security against intruders. Almost every application today comes with an integrated
password system. For example, most Web sites now issue an ID and password to their registered
users for data security purposes.

Password systems are so ubiquitous that they have become the target of most security attacks. Poor
password choices are often easily guessed, stolen, or compromised. Moreover, hackers are trying
ways to identify the limitations of a target system in order to break the password system. Therefore,
more adequate security measures are being built into password systems. This lesson reviews a
general password system, various password-hacking techniques and corresponding mitigation skills,
and methods for strong password integrity.

Lesson objectives:

Define password authentication and explain basic concepts and terminologies.
Discuss different password attacks and corresponding mitigation methods.
Describe techniques for strong password integrity.

ID and Passwords

Figure 5.3: Authentication Across a Network

By now, everyone working with computers is used to using ID and passwords. The first step in
beginning computer work most often begins by logging on to the laptop or desktop computer,
logging on to the Web e-mail server such as Yahoo, Hotmail, and so on with a user ID and password.

Figure 5.3 shows an example where a user, Alice, needs to work on her computer. The first thing she

Contact Webmaster

© Copyright 2013 College of IST

Page 1 of 8

Published on IST 554 (

does is log in to her local computer by entering her user ID and password. If she entered the correct
ID and password, the computer will approve her identity and permit her access. This is the simplest
way to confirm the user’s identity, and is called one-way authentication.

On some occasions, after Alice logs on to the computer she is physically using, she needs to log in to
a remote computer system that is connected with her computer through a network such as the
Internet. Authentication runs across the network in such a situation. The computer Alice physically
uses is the client, and the system she wishes to access is the server. Alice’s ID and password will be
transmitted through the Internet to the server for authentication.

The user’s ID is considered to be a public identity and determines if the user is authorized to gain
access to a system. Usually, a system only allows those who have their ID registered with the system
to gain access. The ID also determines what activities a user is authorized to perform on the system.
The password should generally only be known to the user or to servers with which the user interacts,
but there are exceptions to this.

Computer systems normally store users’ IDs and passwords in a password file, (e.g., /etc/passwd in a
UNIX system). When the password is stored in a clear-text form that people can read or in a form
that can be easily figured out, anyone within the system could access the password file and later log
in as another user. Similarly, hackers can easily capture an unprotected password when it travels
across a network to the server for authentication.

ID and Passwords: Secure One-way Hash Function

A common approach to password protection is the use of a secure one-way hash function to digest
passwords and then store these digested passwords in the password file. If we denote the hash
function as F, the system stores F(password) instead of the password itself.

Generally speaking, with a one-way hash function F, it is easy to compute F(password) for a given
password, but computationally difficult to reconstruct the original password from F(password) or to
perform infinite retires to get the correct password.

With secure hashing protection, when a user logs in and presents a password, say p, the system
applies the hash function F to p and computes F(p). It then compares the calculated value with the

Contact Webmaster
© Copyright 2013 College of IST

Page 2 of 8

Published on IST 554 (

stored value in the password file. If the two values match, login succeeds and the user is
authenticated. If the values do not match, login fails.

Related Link
Wikipedia-Hash Function entry [1]: Provides a description of hash functions, applications,
properties, and further information regarding algorithms and more.

A user, Alice, attempts to log in. She enters her user ID and password. The login program applies the
hash function to the password she entered, and then compares the result with the entry stored in
the password file for user Alice.

If the two values match, Alice can successfully log on to the computer system.

When a first login attempt fails, the login screen usually diplays again for a second attempt. A
system with more sophisticated security protection keeps a count of failed login attempts and locks
a user’s account when a certain threshold has been reached. Some other systems require
authentication not only at the start of a new session but also at certain intervals so that attackers
cannot keep using an unattended machine where another user has logged on. Other systems will
close a session automatically if a user is idle for too long.

Security policies are very important for every organization. Depending upon the size and type of
organization, security policies should be considered very carefully. Some IT professionals create very
strict policies that will lock a user out upon one or two failed login attempts. Be sure that the security
policy established for the organization matches the type of data and knowledge the security policy is
in place to protect. When dealing with human error, there are times when a user will simply forget a
password or have a finger slip and press a wrong key. If that user is then locked out, the user might
not be able to access work files for a certain period of time while the help desk resets the password.
This represents lost time in productivity for both the help desk and the individual who is locked out
of the system.

Password Attacks
Password attacks are malicious attempts to get a system’s password to break into the system or
jeopardize its security.

There are many easily accessible password attack techniques to get user passwords or decipher
them with certain knowledge of the encryption methods used. We will discuss a few common ones in
this topic.

Brute-force Attack

A brute-force attack exhaustively tries every possible combination of valid symbols until the real
password is discovered.

Contact Webmaster
© Copyright 2013 College of IST

Page 3 of 8

Published on IST 554 (

Although a brute-force attack will find a password eventually, it is normally very time-consuming to
complete. The amount of time it takes depends on how complicated a password is. The more
complicated a password is, the longer it takes a brute-force tool to break it. For instance, for a four-
digit password, there are a maximum of 10,000 possible password combinations. Brute-force attacks
against a long password may require many years to complete.

A simple method of protection against brute-force attacks is to change passwords frequently. In the
case when a hacker does guess a password, the amount of time the hacker can access the system
under fake authorization is limited.

Dictionary Attack

A dictionary attack searches for possible passwords through a special dictionary full of common
words that people use as passwords. These dictionaries are created by hackers, using normal
dictionaries, in addition to special software programs to create password combinations. A typical
dictionary used by hackers may contain the entire Webster dictionary or words like popular first
names, street names, phone numbers, repeating letters (e.g., PPPP) or a combination of words,
letters, and names.

Because people tend to use simple passwords that they can easily remember, dictionary attacks are
often sufficient to break an application and would take much less time than trying various passwords
to find the right one in brute-force attack. Also, because people tend to use one password for several
different applications, compromising one password often leads to the breakthrough of more than one

A dictionary attack works generally more efficiently than a brute-force attack, but cannot guarantee
results like a brute-force attack.

To conduct a dictionary attack against a digested password system:

Attackers compute the hash results of all words that they think might be passwords and
compare them against entries stored in the password file.
If a match is found, the attacker will know he/she has the password.
For every word in the dictionary, attackers check to see if F(word) = F(password).
A match gives the attacker the password, which is the word.

As shown in Table 5.1, for a given word in the dictionary, “may576,” the hash result is “3efttd;” for
word, “august2380,” hash result is “k368ktj.” If the attacker found “k368ktj” in the password file, the
attacker knows “august2380” is the password.

Table 5.1

Password guess F(password)

may576 3efttd

august2380 k368ktj

In the past, such attacks could take days, weeks or even months; however, because of increased
computer processing power in recent years, dictionary attacks can compromise a password system
in just minutes. Even brute-force attacks can be completed much faster. Table 5.2 describes the
speed for a brute force attack using a PDP 11/70 computer:

Table 5.2

Contact Webmaster
© Copyright 2013 College of IST

Page 4 of 8

Published on IST 554 (

Length of password (26 chars to use) Speed

1 30 msec

2 800 msec

3 22 sec

4 10 min

Sniffing, Spoofing, and Phishing Attacks

Sniffing (eavesdropping) covertly searches or grabs individual packets of data as they pass across a
network. This is also known as packet-sniffing and is very effective in collecting user login sessions.
When a user ID and password pair travels over networks in clear-text, it can be easily eavesdropped
by a hacker’s sniffing tool working on the same network.

Methods to address sniffing attacks include the Kerberos system and OTP technology. The Kerberos
system encrypts account information going over the network, while OTP technology makes sniffing
account information useless, as a password is only used once.

In a spoofing password attack, attackers play a camouflage technique to emulate a trusted host
inviting users to enter their IDs and passwords.

A spoofing attack may be launched as follows:

1. An attacker runs a spoofing program that presents a fake login screen.
2. If unsuspecting users attempt to log in using this fake screen, the attacker captures their

login information.
3. The fake login session is aborted with an error message and execution is handed over to the

real login session without the users realizing it.

Phishing is a type of spoofing attack most often performed through email. Phishing attempts to
acquire sensitive information such as passwords, credit card numbers, and bank account information

Contact Webmaster
© Copyright 2013 College of IST

Page 5 of 8

Published on IST 554 (

by fraud such as pretending to be an established legitimate enterprise or institution.

Users may receive a seemingly official email with a link directing them to an enterprise’s Web site
(e.g., a “bank”) where they are asked to provide personal information, such as passwords or bank
account numbers. The Web site mimics the real enterprise’s Web site and tricks people into thinking
they have been contacted by an enterprise they trust, so they unwittingly volunteer information to
unauthorized parties.

Mutual authentication is an effective method to mitigate spoofing or phishing attacks. It requires the
authentication of a system’s identity to users before users send out critical information.

To avoid false logins, users should communicate using trusted paths to known entities.

Users can press CTRL+ALT+DEL to invoke an authentic login dialog in Windows NT, even if a login
dialog is already displayed.

Systems can also be configured to display the number of failed logins. If the system does not
indicate an unsuccessful login when a user knows there has been a failed attempt, then the user
knows that something is wrong.

One must learn the different types of spoofing attacks and what to look for in each. A user needs to
defend their computer against spoofing by using a few simple techniques, such as filtering the router
and encryption/authentication.

Here is a useful site to learn more information… [2]

Social Engineering

Social engineering is a tactic used to obtain confidential information by exploiting the natural human
tendency to trust others. For instance, unsuspecting employees can give valuable information over
the phone, such as passwords, to people who claim to be administrators or colleagues they trust.

Password File Compromising

Systems verify a user’s identify by comparing the password entered by the user against the value
stored in the password file. The password file therefore becomes an extremely attractive target for

In the past, password files were relatively easy to access. Now most systems use cryptographic
protection and access control imposed by the operating system.

Cryptographic protection prevents the contents of a password file from being directly disclosed.
Hackers can still perform a brute-force attack or dictionary attack against the compromised
password file, but if complicated passwords are used, it will take too long to run these attacks to
make finding the password feasible. One-way hash functions are also used to slow down these two
types of attacks.

Contact Webmaster
© Copyright 2013 College of IST

Page 6 of 8

Published on IST 554 (

The access control method limits the exposure of a password file to all users on the system.

UNIX systems store enciphered passwords in a shadow password file that is not publicly available,
and Windows NT stores enciphered passwords in a proprietary binary format.

Strong Password Authentication
When a password is encrypted or digested, attackers cannot directly obtain the clear-text password.
However, a poorly chosen password can be easily cracked by a dictionary attack or brute-force
attack. A password structured with a few complexities makes the process of password guessing
more difficult or time consuming.

Strong Password Integrity

For convenience, people tend to use passwords that are easy to remember, particularly if they have
several to remember. As a result, they can often be easy to guess. In addition, when passwords are
generated randomly, people tend to write them down as they are difficult to remember. These
factors make password systems vulnerable to a much more sophisticated hacker/cracker

Passwords need to be “un-guessable” for the password system to be strong. Users must be trained
to create strong passwords, and password management policy should be monitored and enforced to
include the following rules:

Choose more complex passwords;
Enforce rules for good passwords;
Change passwords periodically; and
Use machine-generated passwords.

Un-guessable, good passwords are not simple words or phrases used in common language. They
should have a combination of upper and lower case letters, digits and special symbols such as
punctuation marks, and should be at least eight characters or longer.

For instance, a good password can look like this: kEd*0s-&y.

A good password is less susceptible to dictionary attacks and strengthens the authentication system
in terms of the number of attempts the attacker has to make before he can discover passwords
using brute-force attack. Nowadays, even good passwords can be cracked because hackers have
become smarter and developed utilities capable of breaking even the most complex passwords. For
example, hackers regularly add numbers or symbols when conducting a dictionary attack. For this
reason, passwords should also be changed regularly so that an attacker who manages to learn a
password can only use it for a limited time period. In addition, breaking one password will not lead to
the compromise of all systems if different passwords are required to be used for each system.

Password Salt

The password file contains passwords that are protected by a secure hash function; therefore, an
intruder cannot directly use the information in the file. However, dictionary attacks are still possible
because everyone can access the password file and know the secure hash function F.

Contact Webmaster
© Copyright 2013 College of IST

Page 7 of 8

Published on IST 554 (

One solution is to use password salt to make a dictionary attack a bit more difficult. Password salt
normally is a 12-bit number between 0 and 4095. Rather than computing F(password), F(password +
salt) is computed and both salt and F(password + salt) are stored in the password file.

When a user enters the password, the system fetches the salt for the user and computes F(password
+ salt) to check for a match. With salt, the same password (in the dictionary) needs to be computed
in 212= 4,096 different ways.

One-time Password (OTP) Authentication

The One-Time Password (OTP) system is a good method for countering password attacks because a
password is allowed to be used only once. Even if a hacker manages to obtain the password (e.g.,
through a packet sniffer), the password is useless because it has expired by the time the hacker tries
to use it. We will discuss OTP in detail in the next lesson.

Lesson Wrap-Up
User IDs and passwords are common authentication methods used by most computer systems
today. But predictable, easily-breakable or unchanging passwords are the single weakest point in a
system’s security model. Authentication that simply relies on standard passwords alone often fails to
provide adequate defense against network attacks, of which the majority are achieved through
breaking passwords. The compromise of a password authentication system can lead to other
valuable information leakage and cause major damage to not only individuals but companies
providing services.

Today’s applications require better methods for verifying the identity of attempted users and
authorizing or denying access.

After reading this lesson, you should be able to:

Define password authentication and explain basic concepts and terminologies.
Discuss different password attacks and corresponding mitigation methods.
Describe techniques for strong password integrity.

Source URL:


Powered by TCPDF (

Contact Webmaster
© Copyright 2013 College of IST

Page 8 of 8

Still stressed with your coursework?
Get quality coursework help from an expert!