Lecture 1.

3 - Authentication and Authorization

Lecture 1.2 introduced the concept of authenticity as a type of integrity. This lecture
focuses on the basics of how authenticity is implemented, as well as exploring the related
concept of authorization.
At the end of Lecture 1.2 we described a security system as a barrier that is designed to allow some access
to assets and to block other access. But how does the system decide what to allow and what to block? In
order to answer this question, we need to return to the concept of authenticity. A user is authentic if the
user is who he or she claims to be. A file is authentic if its ownership has integrity. A network packet is
authentic if the source IP data is correct.
In order for a security system to decide whether to block or allow access to assets the security system must
first verify authenticity. (When something is authentic, we say that it has authenticity.) The term
authentication refers to any mechanism that a security system employs in order to determine authenticity.
But in order to authenticate, we must first have some identification. For example, in email we use user
addresses (like riley.davi@uwlax.edu) as an identification. (Often we abbreviate the term identification
as ID.)
Once a computer system has verified authenticity, access to an asset can be permitted. However, this may
not be complete access. There are different kinds of authorization. For example, the owner of an
apartment can do anything he or she wants to the apartment, but the person living in the apartment cannot
break the windows. So the owner is authorized to do anything, including breaking windows; but the person
living there is not authorized to break windows.
A good example for understanding the subtle differences in these concepts is the subway train system
(called the Tube) in London. If you want to ride the Tube you must possess a travel pass. To obtain a
travel pass you must first obtain a photo card from a ticket clerk. The photo card contains a unique ID
number, your photo and your signature. A photo card never expires. Once you have a photo card you may
purchase a travel pass from either a vending machine or a clerk. Travel passes are good for one week or
one month or one year, depending upon how much you pay. A travel pass is only valid when you write
your ID number on it. You insert your pass ticket into an automated turnstile in order to enter a train; this
is authorization, because you are now authorized to ride the train The authentication system is separate. In
order to authenticate, clerks sometimes spot check customers. A spot check means that the clerk asks you
for both your photo card and your travel pass. The clerk checks two things to authenticate: (1) that your
photo looks like you and (2) that the ID number of the photo card is the same as the ID number on the
travel pass. In this way one travel pass cannot be used by different people. The distinction between
authentication and authorization is not always so clear as for the Tube.
The strongest type of authorization is called non-repudiation. Non-repudiation means that a particular
identity cannot be legally denied. Actually, non-repudiation is more important for the field of security
forensics where the goal is to prove the identity of an attacker in order to show who committed the crime.
Authentication and authorization begin with identity. An identity must uniquely define a subject. Human
names dont make a good choice for a secure identity, because many humans have the same name. Swiss
banks are famous because they dont record customers names. The bank doesnt need your name because
a unique account number is sufficient as a secure ID.
In the United States every person is assigned a unique Social Security Number, which serves as the basis
for a citizens identity. Unfortunately, if an attacker can discover someones Social Security Number, it
becomes possible to commit the crime of identity theft. This is another example of white hat and black hat
uses for the same thing. Humans have many other forms of personal identity, such as passport numbers,
credit card accounts, and street addresses. The more of these IDs that an attacker can accumulate, the
easier it is to steal someones identity (and subsequently spend their money). This is why confidentiality of
identity information is so important.

The electronic world also uses many IDs. Computer users have names that must be unique for the given
system. Each connection point to the Internet needs to have a unique MAC address and a unique IP
number. Port numbers provide and application identification within a computer processing network
communications. (These will be examined more completely in a later lecture on network security.) Within
the operating system of any multi-user computer each user needs a unique user ID, and each process needs
a unique process ID for any multi-tasking operating system.
Once we have unique IDs it is possible to associate different kinds of access privileges (authorizations) to a
subject, A common way to grant authorization is using a physical authorization token. Perhaps the most
widely used authorization token is a key. If you possess the key, then you are authorized to access the asset
that this key unlocks. Other kinds of physical authorization tokens commonly used in our society are
concert tickets, postage stamps, airline boarding passes and plastic credit/debit cards. Even money is a
physical authorization ticket. You have 100 R.M.B. because you were deemed to be authorized to receive
it, and you can use this money as an authorization to purchase something. Notice that some of these
authorization tickets are authenticated, such as the need to present a photo ID in addition to a boarding pass
when passing through some security checks, and other authorization tickets, like concert tickets, postage
stamps, keys and money, do not require authentication.
Authentication is often used to ensure the validity of an identity. Authentication is one way to form a basis
for trust. For example, an iris scan can be performed on a human eye to authenticate a person. A
successful iris scan means that the security system can trust this person.
In World War II it was common for American soldiers to ask an unknown person, Who won the 1940
World Series? Americans were likely to know who won this famous baseball competition, but Germans
would not know. My hospital also tries to authenticate by asking me my street address or the date of my
birth. Neither the World Series question nor the date of my birth are strong forms of authentication,
because this is public information. However, they are apparently strong enough to provide the amount of
trust that is desired.
The most common form of computer authentication is the password. A user typically enters both a user
name (his or her ID) followed by a password so that the system can authenticate the user name. This use of
passwords is called a challenge-response protocol1 and is the most common of all security protocols. As
the name implies, a challenge-response protocol consists of two simple steps:
1) The computer challenges a subject.
2) The subject responds to the challenge by performing the requested action.
The challenge in a password system occurs when the system requests you to enter your password. A
password challenge often takes the form of a popup window with space for your password. Your response
would be to enter a password.
A password is a stronger means of authentication than asking for my street address, but passwords are still
vulnerable. Users sometimes select passwords that can be guessed, like the name of your girl/boy friend.
Passwords can also be cracked, especially when passwords are too short or predictable. L0ftcrack is one
famous password cracking program that has both black hat and white hat potential. But the greatest
vulnerabilities in passwords is the human element. A password system is only as effective as the human
behaviors in using the system. Too often humans select passwords poorly, reveal them to others or write
them down in places that other people can find. Typical studies report that about 40% or help desk time is
devoted to helping users with passwords.

The word protocol refers to rules for an exchange between two or more subjects. Security protocols
consist of a carefully defined sequence of events.

Password cracking is done by algorithms that guess a potential password, then check to see if their guess is
correct. Some systems prohibit such cracking by penalizing for attempting too many passwords. For
example, ATM machines often keep your credit card if you have failed three times consecutively to enter
the correct PIN (a numeric password),
Passwords can provide a reasonable level of trust because the algorithms to guess and check all possible
passwords have exponential performance. For example, the ASCII character set has 256 different possible
symbols. There are 2568 potential passwords made of eight ASCII symbols. So a password of length eight
will take too long for a password cracker that tries all possible symbols, at least on todays computers.
More than eight symbols is stronger. But most password cracking algorithms dont work by attempting all
possible passwords. Instead, they use dictionaries of the most common words. For example, a password
cracker dictionary might include all known English words plus commonly-used names and expressions.
Such a cracker would need to check less than a million possibilities. If a user is foolish enough to use a
word from the dictionary as a password, then it can be cracked almost instantly. Mixing both uppercase
and lowercase letters makes password cracking more difficult, because the number of potential passwords
in the dictionary increases dramatically if all combinations of these symbols are considered. Including nonalphabetic symbols is also recommended for the same reason.
CERT2 has the following recommendations (called SUPR) for passwords:
S - strong (a password must be nine characters, including special symbols)
U - unique (each password should be unrelated to your other passwords)
P - practical (can you remember the password without writing it down?)
R - recent (passwords should be changed regularly, perhaps 1-3 months, depending upon security)
There are many other inventions for authenticating. Many companies now rely upon HHAD (Hand Held
Authentication Devices) more often known as tokens. This kind of token is a card or a small plastic device
with an embedded computer. The two kinds of tokens are challenge-response tokens and time-based
tokens.
A challenge-response token has a small display (usually an LCD display) and a keypad, usually just
number keys. The token works like this:
1) the token presents a challenge by showing a randomly-selected number on the display.
2) the user types the same random number on the keypad
3) the user types in his/her PIN
4) the token displays an access code based upon the PIN and random number.
5) the user enters the access code displayed in Step 4 into the computer as a password.
Step 1 is the challenge and Steps 2 and 3 are the response. The reason for Step 2 is to ensure that anyone
stealing a PIN cannot use it without also possessing the token. The reason for Step 3 is so that anyone
stealing the token cannot use it without also knowing the PIN. The reason for Steps 4 and 5 is to ensure that
someone who has stolen a code cannot use it later, because each use of the token most likely produces a
different code. The computer verifying the access code must know the user's PIN and be capable of
performing the same computation as the token.
A time-based token works on a clock within the token that must be synchronized with a clock in the
computer system. The time-based token usually has no keypad, but simply displays an access code that is
generated by an algorithm using the current clock time. The user enters this access code into the computer,
which verifies the access code using the same calculation as the token. A time-based token prevents reuse
of an access code, but is less secure than a challenge-response token because it can be used without
knowing a PIN.
2

CERT stands for Computer Emergency Response Team. CERT has security oversight responsibility for
the entire Internet. Housed at Carnegie Melon University, the URL is www.cert.org. Many countries also
have their own CERT organizations.

There are many biometric forms of authentication. Research has been done on retinal scans, iris scans,
digital voice pattern recognition and facial scans. Fingerprint scanners are inexpensive and sometimes
included with personal computer packages today.
It is generally more convenient to use biometric authentication rather than remembering passwords.
However, biometric devices currently have many shortcomings. Biometric devices have low accuracy,
producing both false positives and false negatives. Suppose a facial scan were used to detect known
terrorists at professional American football games. Even if the facial scanning software is 99.9% accurate.
Such a system would incorrectly detain (i.e., false positives) about 70 people per game. But since
terrorists are likely to wear disguises recent research shows that facial scanning software is no better than
50% accurate, so half of the terrorists would not be detected (false negatives). Other problems that
biometric research must overcome are (1) susceptibility to physical changes, (2) vulnerability to spoofing,
and (3) the potential for stealing body parts.
Currently, the U.S. government is planning to include fingerprints and face prints, along with photos on
passports. A few United States airports have begun testing facial recognition software. In 2002 a Japanese
researcher used a common candy to reliably spoof fingerprints, and eye scans have been shown to be
unreliable for certain kinds of illness.
One type of electronic authentication that is used commonly is the digital certificate. A digital certificate
is submitted by one computer to a certificate authority (a trusted third computer) that authenticates the
user/computer to use the resources of a second computer. We will talk about digital certificates later in the
course.
More advanced than a token is a smart card. The smart card consists of a computer embedded within
something that looks like a credit card, but has different gold connects to allow it to plug into a computer.
Smart cards are capable of storing digital access code, biometric data, digital certificates and many other
things that can be used in complex computations to authenticate. The computer cannot be removed from
the card to inspect its content, because it is designed so that almost any damage to the card destroys the
computer inside.
There are five criteria for evaluating the quality of different forms of authentication:
1) How strong is the authentication? (What is the percentage of false positives and false negatives?)
2) How vulnerable is the mechanism to attack? (theft, damage or spoofing)
3) How easy is the mechanism for a human to use?
4) How much will the mechanism cost?
5) Is the mechanism interoperable in the sense that it can be used by systems in different places or
for different purposes.
Authentication mechanisms can be classified into four categories, known as authentication factors:
a mechanism based on what you know
a mechanism based on what you have (or possess)
a mechanism based on what you are
a mechanism based on where you are
Most experts now suggest that good authentication should require at least two different authentication
factors (usually not counting where you are). In other words a good level of security would require both a
password an a time-based token, or a digital certificate and a fingerprint scan. Using two separate
passwords or two different smart cards would not be as good, because this is using the same authentication
factor twice, instead of two different authentication factors.
This lecture ends with the NIST definition for non-repudiation. Notice that this definition is two-way,
because the two involved parties (referred to here as sender and recipient) must both be provided proof
of the others identity. In other words, there are often two authentications performed. Consider a telephone
conversation. The person receiving the call usually responds with, Hello This allows the caller to

authenticate by recognizing the voice. The caller usually responds with something like, Hello, this is Bo.
Now the other person has a chance to authenticate through voice recognition, and so the call proceeds -each party can now trust the other.