MIT course "Security of computer systems". Lecture 17: User Authentication, Part 3

Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems." Nikolai Zeldovich, James Mykens. year 2014

Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.

Lecture 1: “Introduction: threat models” Part 1 / Part 2 / Part 3
Lecture 2: “Control of hacker attacks” Part 1 / Part 2 / Part 3
Lecture 3: “Buffer overflow: exploits and protection” Part 1 /Part 2 / Part 3
Lecture 4: “Privilege Separation” Part 1 / Part 2 / Part 3
Lecture 5: “Where Security System Errors Come From” Part 1 / Part 2
Lecture 6: “Capabilities” Part 1 / Part 2 / Part 3
Lecture 7: “Native Client Sandbox” Part 1 / Part 2 / Part 3
Lecture 8: “Network Security Model” Part 1 / Part 2 / Part 3
Lecture 9: “Web Application Security” Part 1 / Part 2/ Part 3
Lecture 10: “Symbolic execution” Part 1 / Part 2 / Part 3
Lecture 11: “Ur / Web programming language” Part 1 / Part 2 / Part 3
Lecture 12: “Network security” Part 1 / Part 2 / Part 3
Lecture 13: “Network Protocols” Part 1 / Part 2 / Part 3
Lecture 14: “SSL and HTTPS” Part 1 / Part 2 / Part 3
Lecture 15: “Medical Software” Part 1 / Part 2/ Part 3
Lecture 16: “Attacks through the side channel” Part 1 / Part 2 / Part 3
Lecture 17: “User authentication” Part 1 / Part 2 / Part 3

So biometric security is relative - you see what kind of entropy it has, it is not much better than the entropy of passwords. If you remember, the entropy of passwords ranges from 10 to 20 bits. This is a bit alarming, but it still allows you to compare biometrics with passwords. So, according to the authors, biometrics is easy to learn, because you only need to position your body in a certain way, bring the eye closer to the scanner of the retina, and so on, so in this sense biometrics and passwords equally meet the requirements.

Student: what is the reason for such limiting values ​​of entropy, for example, fingerprint and retina?

Professor:I think these values ​​are due to the hardware used, the hardware. If you have a scanner with a higher scanning resolution, then these entropy values ​​will be higher. I think that there is a certain minimum guaranteed limit of recognition of individuality, such as DNA and the like, and it is obvious that these are not the fundamental limits of entropy.

So, the authors say that biometrics is easy to learn, because it is easy to learn how to use scanners. Interestingly, biometrics has some features, so it is susceptible to distortion more than passwords. For example, your voice may change, you may hoarse because of a cold, so biometrics does not meet the requirement of rare errors in use and the authors write the word “no” here.



The requirement of scalability is observed, so the authors indicate "yes." Biometrics corresponds to it, because basically you are placing yourself at the disposal of the services that you want to log in to, so this is a very good opportunity for biometrics.

In relation to the requirement of easy restoration, the authors point out the discrepancy and write “no”. Because if someone steals the fingerprint of your retina for authentication, it will be very problematic to restore your access, since you cannot get new eyes. Therefore, easy recovery in relation to biometrics is a big problem.

The requirement “nothing extra”, that is, the possibility not to use any additional devices for authentication is fully fulfilled here, because you automatically carry everything you need for authentication with you.

In terms of deployment requirements, biometrics does not have any special advantages over passwords. It does not meet the requirement of server compatibility. It also does not meet browser compatibility requirements, because browsers do not have retinal scanners and things like that.

The requirement of accessibility is satisfied conditionally, so the authors indicate “conditionally yes.”



I think this convention is due to possible data entry errors for people with disabilities and some difficulties in using biometrics even by ordinary people, as well as the complex physical aspects of this scheme. Thus, the availability of biometrics is low, which is rather disappointing.

Consider the security requirements. Regarding resistance to physical observation, the authors say “yes.” This means that if someone watches you use an iris scanner or a fingerprint scanner, it will not give him any opportunity to impersonate you. Perhaps with respect to voice recognition this is not very reliable, since the voice can be recorded and played.

Student:however, an attacker can take your photo, use a special copying glass, and get a high-resolution retinal imprint, or even copy your fingerprints to a special film.

Professor: you are right, there are difficulties here, because using a scientific approach to modern technologies, someone may try to impersonate you, but in terms of security, there is a special methodology to prevent such opportunities. That is why in some cases, the authors of the article do not say “yes” categorically, but use “conditional yes”, that is, conditional compliance with the requirements. But here it is physical observation that is meant, and not the use of any technical means to steal your biometric parameters.

In relation to resilience to the target of impersonation for another person, the authors indicate "no" just for the reasons you just talked about. Because if I want to impersonate it for you, I will find a glass that copies the imprint of your retina or uses a film on which copies of your fingerprints remain, and I can use it for my criminal activity.

The authors indicate that biometrics is resistant to attempts at intensive guessing, but not resistant to not intensive guessing. The reason is as follows. In the first case, the attacker can not resist the protection of Antihammering, but if he can be engaged in guessing as fast as he wants, then this is not the case. If you remember, the entropy of biometrics is not large enough. Therefore, if we have someone who uses unforced guessing, we say no, biometrics in this sense is weak.

In relation to the previous requirement, we can say that although biometrics have a small entropy space, it has a large random distribution of indicators within this entropy space. This is its difference from passwords, because passwords have both a small entropy space and closely spaced clusters of values ​​inside it.

The requirement of resistance to internal observation of biometrics does not hold, the authors say "no" here. This is because someone can damage the fingerprint reader and access your fingerprint, which is essentially a static secret and can be used repeatedly.

In terms of phishing resistance, the authors also say no. With respect to the lack of confidence in a third party, “yes” is indicated. Of interest is the requirement to resist leakage through other services - here they say no. Here, practically the same reason that passwords do not meet this requirement, because your biometric data is static tokens. So if I use my retina fingerprint for authentication on Amazon.com, and data leakage occurs from it, then your data can be used to personalize on Facebook.

So, what do the two columns with these “yes”, “conditionally yes” and “no” mean? One, only one of many ways of interpreting this, is that we can sum the results.



Let's assume that each “yes” corresponds to 1 point, each “no” corresponds to 0 points, and each conditional “yes” equals 0.5 points. You must understand that if such an assessment scheme, if not completely random, then it is still quite random.



However, this is quite an interesting exercise for understanding what is said in the lecture article. So, let's calculate the result for all parameters of the table. We will see that passwords gain a total score of 8 points, and biometrics - 6.5 points. And what do these 2 numbers mean?



I think that these are very interesting numbers, because they have not a quantitative, but a qualitative characteristic. These figures do not mean that these results should be strictly taken into account when developing security schemes, they only show that biometrics does not sweep passwords from accounts. This does not mean that we will be able to much more successfully resist brute-force attacks using passwords, just the authors of the article, having placed this table, recommend to pay attention to the fact that passwords are better in some ways, worse than biometrics, and also has both advantages and disadvantages.

This means that in a specific security situation, you can compare the rates and select the most appropriate protection factors. Thus, these scores show that both of these authentication methods are strong in some ways, but weak in some ways.

So, having considered this table, it can be said that it is very difficult to argue that some kind of authentication scheme has overwhelming advantages over another. Therefore, it is worth considering how you can combine several different authentication schemes. The authors tried to translate this idea into a scheme called “multifactor authentication,” Multi-factor authentication, or MFA. Her idea is to use in-depth protection, that is, to force the user to use two or more different authentication mechanisms. Each of these mechanisms must use a different procedure, or condition. It is understood that these mechanisms must have different authentication methods.

For example, one of these mechanisms should simultaneously use:

• something that you know, for example, a password;
• something that you have, for example, a cell phone or a smart card;
• something that you are, for example, a biometric indicator.

The idea is that if you use something like this mechanism, the attacker will have to steal many different things in order to be able to impersonate you. For example, a hacker will be able to steal your password, but will not be able to steal your phone. The most common example of such a mechanism is Google two-factor authentication, for example, in a Gmail account.



Suppose you have a password to access the mail, but in addition, you receive a text message on your phone with a code that you must use to confirm that this mailbox belongs to you. And if you enter this code, it means that if someone took over your password, the phone still belongs to you. Thus, this mechanism protects you from total hacking.

AWS, Amazon’s secure cloud service, also uses two-factor authentication for its services, and you are authenticated to, for example, manage your virtual machine and the like. They also have the function of installing a mobile application on the phone, allowing you to enter your password. They also use a thing called custom security dongle, or the user's electronic security key, which allows you to perform two-factor authentication.

It all looks very good, but there is a thing overshadowing the use of two-factor authentication. Experience shows that if you provide the user with a second authentication method besides passwords, the user begins to use weaker passwords. Because he believes that since his privacy is ensured by two security mechanisms, the password can be quite simple. It can be concluded that sometimes, the more protection you provide to users, the more frivolous they are to other, additional measures of protection.

Student: many services use the last 4 digits of a credit card that can be easily guessed to identify.

Professor:You are right, in this sense, the use of credit cards is very interesting, because in addition to these 4 digits protection uses many other schemes to prevent fraud, but from the point of view of machine counting combinations of numbers it is quite interesting. You may have noticed that if you use your card abroad, after you inserted it into an ATM, you can call from the bank and ask: “Did you use your card now?”, And you answer: “yes, yes, I used it. ”So, with ATMs, security is much easier than when you use your card on websites or for shopping at online stores.



Because for some reason your card details may be outside of your protected profile. For example, in many online bookstores of the “My Little Pony” type, if you do not enter a transaction confirmation password sent to your email or phone within a few minutes, your credit card is blocked. The reason why they do this is that they have to choose between the interests of a person who can bring them money and the interests of an attacker who can deprive them of this money. This is a security method hosted in the background of an e-commerce site infrastructure that uses engine analytics to prevent fraud and similar threats.

So what are the answers to homework questions? For example, to the question what potential factors influence the choice of an authentication scheme in a whole bunch of different scenarios. I mean that at a high level there are no clear concepts that this authentication method is correct or incorrect. We need to rely on the result of our discussion today and approach this way: “in this scenario I’ll think more about this authentication method, and in this scenario I’ll think about another method.”

For example, one of the questions concerns the authentication on public computers of the Athena university system and how the system developers took care of this.

It is possible that one thing that will be quite difficult to ensure in this case is resistance to internal observation. Because in this case, we may have malware, unknown computers on the network, and so on. Perhaps with that in mind, you should think about biometrics, which in this case seems like a good idea. Because in most cases, the reader of biometric indicators is the preferred and trusted equipment, because it is very difficult to fake the parameters of your retina or fingerprints.

However, in case you cannot guarantee resistance to internal observation, biometrics can be a bad idea, because, for example, stealing someone's fingerprints from a database can be detrimental because this information was used to access all services. Athens".

So if you go back to the question of what things you should take care of in the first place, then there can be a variety of answers. For example, banks to a large extent should be concerned about the security of ATM ATMs, so the primary requirement here must be resistance to physical observation.

That is, if I have the opportunity to observe how you interact with an ATM, this should not give me the opportunity to impersonate you. In addition, it is worth thinking about thieves, because if I lose my credit card, it should not be so that someone can use it to buy things without my knowledge. If we return to the above, the security of a bank card must be ensured by different mechanisms.

If you look at it from the point of view of using biometrics, the question arises - do banks trust ATMs? Do they trust these physical terminals? On the one hand, you can say “yes”, because they were created by the banks themselves, but on the other hand, only Zeus knows what can happen to them. In some countries, the scheme of using fake ATMs, or “undercover” ATMs, of devices that are externally similar to real ATMs is quite popular. When you insert a card into it, an intruder’s reader is on the way between you and the bank, stealing your information, or this fake ATM doesn’t communicate with the bank at all, but just steals your data. So perhaps the bank should not trust these terminals. And in this case, biometrics would not be a good idea. It may seem like a good idea, however you are not protected from

It’s a good idea to place two different levels of security in ATMs, depending on whether I’m going to read something in my account or write something in there, I mean “spend my money” by the notion “enter”. For example, if I want to see the balance on the account, just enter the password, but if I want to withdraw money, I need to use another authentication scheme, for example, send something to my phone. So in order to fully trust this machine, you need two-factor authentication that protects your transactions.

Thus, the lecture article states that the benefits of a particular authentication scheme depend on the specific conditions in which it can be used.
An interesting thing that is mentioned only in the extended version of the article is the CAP reader (CAP - Chip Authentication Program, or Chip Authentication Program). Because the abbreviated version of the article ends with the conclusion that there is absolutely no authentication scheme that would clearly show its advantages over passwords.

What is a CAP reader? In short, this item protects credit card transactions. It looks like a small pocket calculator.



You insert your card into it and enter your PIN-code. Speaking abstractly, it is designed specifically for your MasterCard, and it trusts it, because no one can update the firmware of this CAP reader and no one can install some kind of malicious program like a keyboard interceptor on it. So, you insert your card into this trusted terminal, enter the PIN, and it displays an 8-digit code. You can use this code, for example, for a web service in order to confirm that you are the owner of a particular credit card. This is the physical aspect of using a security mechanism.



The extended version of the article about the CAP reader states that it is easy to learn how to use it, because the authors of the article write “yes” in this line of the comparison table. Regarding the rarity of errors in use, they write “conditionally yes,” for the same reason that they marked “conditional yes” for passwords. For example, you can make a mistake when entering your PIN-code and the like.

In relation to fulfilling the scalability requirement for the user, they write “no”, because you must have different PIN codes for different cards, and perhaps even for different CAP readers.

The ease of recovery is also marked by the word "no", because if you lose your CAP reader or card, trying to restore your identity will cause you a lot of trouble. Naturally, this reader does not meet the requirement not to carry anything with you, because you must have a CAP reader for your card.

In the deployment options, the authors mark “no” with respect to server compatibility, because the server does not use any special protocols to work with these readers. This device is characterized by browser compatibility, here the authors indicate "yes", because CAP readers can be used by applying HTML or JavaScripts at the final stage of authentication.

The CAP reader does not meet the accessibility requirement, because people with disabilities may have trouble reading the 8-digit code that it issues.



Regarding the security issue, this device dominates because it meets every listed requirement. This is because the 8-digit code that forms the CAP reader is one-time. Every time you are about to make a new transaction, it produces a unique set of numbers that will never be reused.



For example, it is resistant to physical observation, because if someone else looks at your code, it will not be able to use it again, because unlike a password, it is not a static token.

The situation with resistance to intensive guessing is similar, because the guessed values ​​simply disappear. Even if you intercept my code, you still cannot use it to impersonate me. Again, leak resistance through third-party services is explained by the fact that the code is a one-time thing.

Thus, the CAP reader in this table easily passes the security requirements. So why do people still not widely use these CAP readers in practice? Why it happens? If you look at the ball score, then these readers get a score of 10.5 points!



The fact is that in real life they are not the optimal balance between security requirements and usability. People do not want to carry CAP readers with them, they do not want to delve into all these protocols, take these 8-digit values ​​and enter them somewhere on the website. In practice, it turns out that usability and deployability are often more important than security. Because developers are interested in mechanisms that would not increase the cost of using their services, and customers do not want to experience any difficulties when using such things. It is worth noting that even if users are free to select the security scheme parameters, they still more often choose short passwords, weak questions and so on.

Therefore, the use of such things as CAP readers or smart cards is justified in companies or large corporations where smart cards are used, for example, to enter a building, or in military enterprises, where the advantages of security systems based on hardware, or "hardware", prevail over problems of use or deployability. But in most cases, such authentication mechanisms are rejected by ordinary users.

Therefore, when creating an authentication scheme for a wide range of users, you should focus not on security, but on usability. That's all, see you next Monday!


Full version of the course is available here .

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until December for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only here2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?