network security(2)

2. Identification & Authentication

January-2004 [10]

2.

a)         What are two common techniques used to protect a password file?                                [6]

ans :-- One-way encryption: The system stores only an encrypted form of the user's password. When the user presents a password, the system encrypts that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the encryption function and in which a fixed-length output is produced.
Access control: Access to the password file is limited to one or a very few accounts.
Access control system operation
When a credential is presented to a reader, the reader sends the credential’s information, usually a number, to a control panel, a highly reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, and sends a transaction log to a database. When access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door. The control panel also ignores a door open signal to prevent an alarm. Often the reader provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted.
The above description illustrates a single factor transaction. Credentials can be passed around, thus subverting the access control list. For example, Alice has access rights to the server room but Bob does not. Alice either gives Bob her credential or Bob takes it; he now has access to the server room. To prevent this, two-factor authentication can be used. In a two factor transaction, the presented credential and a second factor are needed for access to be granted. The second factor can be a PIN, a second credential, operator intervention, or a biometric input. Often the factors are characterized as

• something you have, such as an access badge or passcard,
• something you know, e.g. a PIN, or password.
• something you are, typically a biometric input.

c)         Why is authentication an important requirement for network security?                             [4]

July-2004 [21]

1.

f)          A password cracker knows for certain that a genuine user uses a password that is four characters long drawn from a set of 100 characters. He decides to crack the password by brute force method. What is the maximum number of combinations he needs to test? How long would it take (in years) for him to crack the password if it takes 100 msec to test each password?                                                                                                  [4]

2.

a)         List any four biometric methods other than voice print used for user authentication. Discuss the user registration and authentication procedures in the case of voice print biometric key.                                                                                                                     [8]

4.

c)         What are the three phases of authentication in Kerberos v4? Discuss each phase briefly bringing out clearly how certain security threats are overcome in each phase.               [9]

 

January-2005 [3]

3.

d)         Explain the difference between identification and authentication.                                     [3]

 

July-2005 [0]

 

January-2006 [6]

7.         Write short notes on any three:

            iv) Biometrics                                                                                                 [6]

July-2006 [0]

January-2007 [18]

1.

d)         How is Dictionary attack different from Brute Force attack?                                            [4]

5.

b)         How does biometric help in security electronic banking?                                                [8]

7.

a)         How is Kerberos designed to provide strong authentication for client/server applications by using secret key cryptography? Also mention the short comings of Kerberos.                  [6]

 

July-2007 [4]

5.

a)         What is biometrics and biometrics authentication?                                                        [4]

January-2008 [13]

1.

c)         How is Dictionary Attack method different from Heuristic Attack method?                       [4]

4.

b)         How does biometrics facilitate the IT security efforts of the Financial institutions?            [6]

5.

c)         Explain the difference between authentication and identification.                                     [3]

July-2008 [4]

1.

d)         What do you understand by biometrics and biometrics authentication?                   [4]

January-2009 [4]

1.

c)         Why is a network authentication protocol used?               [4]

July-2009 [12]

3.

b)         Explain Brute Force Attack.        [6]       

4.

c)         Kerberos is a computer network authentication protocol, which allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Explain how is it works?              [6]       

January- 2010 [7]

1.

d)         Why is there a need to take multiple samples during the user registration process of biometrics?                             [4]

6.

c)         List three approaches to secure user authentication in a distributed environment.       [3]

July-2010 [25]

3.

a)         List three approaches to secure user authentication in a distributed environment.    [9]

ans :--- Three approaches to secure user authentication in a distributed environment are:

  Rely on each individual client workstation to assure the identity of its user or users and rely on each server to enforce a security policy based on user identification (ID).

  Require that client systems authenticate themselves to servers, but trust the client system concerning the identity of its user.

  Require the user to prove identity for each service invoked. Also require that servers prove their identity to clients.

b)         What are Kerberos? List four requirements for designing the Kerberos environment. [9]

ans :-- Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder (in ``Using Encryption for Authentication in Large Networks of Computers'', Communications of the ACM, Vol. 21(12), pp. 993-999, December, 1978). It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.
Kerberos works by providing principals (users or services) with tickets that they can use to identify themselves to other principals and secret cryptographic keys for secure communication with other principals. A ticket is a sequence of a few hundred bytes. These tickets can then be embedded in virtually any other network protocol, thereby allowing the process implementing that protocol to be sure about the identity of the principals involved.
Practically speaking, Kerberos is mostly used in application-level protocols (ISO model level 7), such as Telnet or FTP, to provide user to host security. It is also used, though less frequently, as the implicit authentication system of data stream (such as SOCK_STREAM) or RPC mechanisms (ISO model level 6). It could also be used at a lower level for host to host security, in protocols like IP, UDP, or TCP (ISO model levels 3 and 4), although such implementations are currently rare, if they exist at all.
There are several different versions and distributions of Kerberos. Most of them are based on an MIT distributions in one form or another, but the lineage is not always simple. Some of the distributions are freely available, some are stand-alone commercial products, and others are part of a larger free or commercial systems.
Several vendors currently sell relevant Kerberos material, and to name a few: CyberSAFE, Cygnus Support, Digital Equipment Corporation, Emulex Network Systems, OpenVision Technologies, TGV

The four requirements defined for Kerberos are:

  Secure: A network eavesdropper should not be able to obtain the necessary information to impersonate a user. More generally Kerberos should be strong enough that a potential opponent does not find it to be the weak link.

  Reliable: For all services that relay on Kerberos for access control, lack of availability of the supported services. Hence, Kerberos should be highly reliable and should employ a distributed server architecture, with one system able to back up another.

  Transparent: Ideally, the user should not be aware that authentication is taking place, beyond the requirement to enter a password.

  Scalable: The system should be capable of supporting large numbers of clients and servers. This suggests a modular, distributed architecture.

6.

c)         Distinguish between Dictionary Attack and Heuristic Attack methods?       [7]

ans :-- In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.

Technique

A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack) or a bible etc. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

Pre-computed dictionary attack

It is possible to achieve a time-space tradeoff by pre-computing a list of hashes of dictionary words, and storing these in a database using the hash as the key. This requires a considerable amount of preparation time, but allows the actual attack to be executed faster. The storage requirements for the pre-computed tables were once a major cost, but are less of an issue today because of the low cost of disk storage. Pre-computed dictionary attacks are particularly effective when a large number of passwords are to be cracked. The pre-computed dictionary need only be generated once, and when it is completed, password hashes can be looked up almost instantly at any time to find the corresponding password. A more refined approach involves the use of rainbow tables, which reduce storage requirements at the cost of slightly longer lookup times. See LM hash for an example of an authentication system compromised by such an attack.
Pre-computed dictionary attacks can be thwarted by the use of salt, a technique that forces the hash dictionary to be recomputed for each password sought, making precomputation infeasible provided the number of possible salt values is large enough.