Type 1 – Something you Know – Pin or Password
Passwords are not obsolete.
- Nearly all systems support passwords for authentication
- Cost to deploy passwords is low
Password Guidelines
- Long is better than complex
- Never base on dictionary word
- Force new password at first usage of account
- Have clipping level – clipping = threshold for invalid attempts
- Maintain history
Attacks Against Passwords
- Brute Force – trying all passwords available
- Dictionary – trying all words in the dictionary
- Hybrid – variation of words in the dictionary
- Rainbow Tables – Hash all words in the dictionary
Type 2 – Something you Have – Think an RSA token
Token, Cryptographic Card
- OTP
- Utilize time synchronization and an unique seed file
- Issues – Loss of Token, cost of token
- Asynchronous Token
- Challenge Response
- SKEY Calculator
- Memory Cards
- Cheap (Similar to hotel access cards)
- Not encrypted
- Minimal security
- Skimmers
- Smart Card – Follow link for information from Smart Card Alliance
- A contact card must be inserted into a smart card reader with a direct connection to a conductive contact plate on the surface of the card (typically gold plated). Transmission of commands, data, and card status takes place over these physical contact points.
- Has a physical contact on card
- No batteries, energy supplied by card reader
- A contactless card requires only close proximity to a reader. Both the reader and the card have antennae, and the two communicate using radio frequencies (RF) over this contactless link. Most contactless cards also derive power for the internal chip from this electromagnetic signal. The range is typically one-half to three inches for non-battery-powered cards, ideal for applications such as building entry and payment that require a very fast card interface.
- Communicates using Radio Frequency (RF)
- Requires close proximity, should be within 4 inches
- 106 – 848kbps transfer rate
- Powered by induction, no battery needed
- Low security as RFID is easy to hack
- A contact card must be inserted into a smart card reader with a direct connection to a conductive contact plate on the surface of the card (typically gold plated). Transmission of commands, data, and card status takes place over these physical contact points.
Type 3 – Something you Are
- Devices will require an enrollment process
- Type I – False Rejection Rate
- Type II – False Acceptance Rate
- Crossover Error Rate
- Type I errors go up with increased sensitivity
- Type II errors increase with decreased sensitivity
- while somewhat relative, a better crossover rate indicates a better biometric device
- Characteristics of Biometric
- Universality – all people have characteristic
- Uniqueness – characteristic is different for each specimen
- Permanence – pattern doesn’t change over time, resists aging
- Types of devices
- Fingerprint
- Finger Geometry
- Face Recognition – features of face – eyes, nose, mouth
- Iris Recognition – color of iris
- Retina Scan – veins in back of eye
- Discloses more than identity
- Infectious disease such as Malaria
- Substance abuse
- Pregnancy
- Women with unwanted pregnancy failed retina scan
- Ended up suing company for disclosing pregnancy
- Biometrics Can be Fooled
- Mythbusters – MythBusters Busts Biometric Fingerprints
- Should not be used as single factor
Most ….
- Common – Fingerpint
- Intrusive – Retina scan
- Accurate – Retina scan
Relative Cost Least to Most –
Password, Software Token, Hardware Token, Certificate, Biometrics