Outline

• Iris Patterns
• HW Problem
• 2-Factor Authentication
• Single Sign-on
• Web Cookies

Iris Patterns

• Iris pattern development is "chaotic"
• Little or no genetic influence
• Different even for identical twins
• Pattern is stable through lifetime

Iris Recognition: History

• 1936 -- suggested by Frank Burch
• 1980s -- James Bond films
• 1986 -- first patent appeared
• 1994 -- John Daugman patented best current approach. Patent owned by Iridian Technologies

Iris Scan

• Scanner locates iris
• Take b/w photo
• Use polar coordinates...
• Get 256 byte iris code

Measuring Iris Similarity

• Based on Hamming distance
• Define `d(x,y)` to be:
  • # of non match bits / # of bits compared
  • d(0010,0101) = 3/4 and d(101111,101001) = 1/3
• Compute `d(x,y)` on 2048-bit iris code
  • Perfect match is d(x,y) = 0
  • For same iris, expected distance is 0.08
  • At random, expect distance of 0.50
  • Accept iris scan as match if distance < 0.32

Iris Scan Error Rate

Attack on Iris Scan

• Good photo of eye can be scanned -- Attacker could use photo of eye
• Afghan woman was authenticated by iris scan of old photo from National Geographic. http://news.bbc.co.uk/2/hi/south_asia/1870382.stm
• To prevent attack, scanner could use light to be sure it is a "live" iris

Equal Error Rate Comparison

• Equal error rate (EER): fraud == insult rate
• Fingerprint biometric has EER of about 5%
• Hand geometry has EER of about `10^(-3)`
• In theory, iris scan has EER of about `10^(-6)`.
  • But in practice, may be hard to achieve
  • Enrollment phase must be extremely accurate
• Most biometrics much worse than fingerprint!
• Biometrics useful for authentication...
  • ...but identification biometrics almost useless today

Biometrics: The Bottom Line

• Biometrics are hard to forge
• But attacker could
  • Steal Alice's thumb
  • Photocopy Bob's fingerprint, eye, etc.
  • Subvert software, database, "trusted path"...
• And how to revoke a "broken" biometric?
• Biometrics are not foolproof
• Biometric use is limited today
• That should change in the (near?) future

HW Problem

Problem 7.6 This problem deals with storing passwords in a file.

1. Why is it a good idea to hash passwords that are stored in a file? Answer. This prevents an unauthorized person who manages to acquire a password file from immediately getting everyone's password.
2. Why is it a much better idea to hash passwords stored in a file than to encrypt the password file? Answer. Encrypting the password file would require the file be decrypted for password checking. This might be both computationally expensive and result in a plaintext file appearing as an intermediate file which could be copied.
3. What is a salt and why should a salt be used whenever passwords are hash? Answer. A salt is a string concatenated to the password before hashing. In the password file we store the hashed result together which the plaintext salt. This prevents the attacker from using hashes of a password dictionary for more than one forward attack.

Something You Have

• Something in your possession
• Examples include following...
  • Car key
  • Laptop computer (or MAC address)
  • Password generator (next)
  • ATM card, smartcard, etc.

Password Generator

• A password generator is a small device that has a key `K` known to Bob (but not Alice) coded into its firmware. It computes a hash based on this key and a string fed to it.
• Alice receives random "challenge" `R` from Bob
• Alice enters PIN and `R` in password generator
• Password generator hashes symmetric key `K` with `R`
• Alice sends "response" `h(K,R)` back to Bob
• Bob verifies response
• Note: Alice has password generator and knows PIN

2-factor Authentication

• Requires any 2 out of 3 of
  • Something you know
  • Something you have
  • Something you are
• Examples
  • ATM: Card and PIN
  • Credit card: Card and signature
  • Password generator: Device and PIN
  • Smartcard with password/PIN

Single Sign-on

• A hassle to enter password(s) repeatedly
  • Alice wants to authenticate only once
  • "Credentials" stay with Alice wherever she goes
  • Subsequent authentications transparent to Alice
• Kerberos --- example single sign-on protocol
• Single sign-on for the Internet?
  • Microsoft: Passport
  • Everybody else: Liberty Alliance
  • Security Assertion Markup Language (SAML)

Web Cookies

• When you browse the web using a browser, websites often send "cookies" to be stored by your browser.
• The protocol which governs how browsers and web servers communicate, HTTP -- hypertext transfer protocol, is a a stateless protocol. Cookies, however, allow servers to maintain the state of an interaction.
• More specifically, in response to a browser request, a website sends an HTTP header (Set-Cookie:) with a session string and expiration. These are then stored by your browser.
• When a browser makes a second request of the website, as part of its HTTP request, it sends any relevant cookies for the site (Cookie: header)
• This can be then used to look up any information about that session and its current state.
• Sorta like a single sign-on for a website
• There are privacy concerns... (Tracking cookies, Flash cookies, E-tags for tracking, etc.)
• Also, Cookies are a very, very weak form of authentication...

CSRF

• CSRF stands for Cross-site Request Forgery. Here is the idea of this attack which affects cookies.
• Suppose a user logs into his online bank.
• The bank stores a cookie on his machine and only uses that to check if he is logged in.
• The user browses to some other site (not the bank) with malware in it and clicks on an image link that actually contains a URL for the bank together with an action like do a money transfer to a bad person.
• Since the user still has the banks cookie, the transaction goes ahead without the user even knowing.

CSRF Prevention

• Include user specific tokens in forms, so form data won't be used to take actions on databases unless that token is present.
• Check the referrer of any data sent to your server.
• As a user make sure to log-off sites before browsing elsewhere.