Thursday, February 5, 2009

NETWORK MANAGEMENT AND INFORMATION SYSTEMS - Identification & Authentication

January-2004 [10]
2. a) What are two common techniques used to protect a password file? [6]

Form of stored passwords
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible. common approache stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access.
Rate at which an attacker can try out guessed passwords
The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time out of several seconds after a small number (e.g., three) of failed password entry attempts. In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords, if they have been well chosen and are not easily guessed
Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology in which passwords are not located in the password file.

c)Why is authentication an important requirement for network security? [4]
Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authentication is equivalent to showing your drivers license at the ticket counter at the airport.

July-2004 [21]
1. f) A password cracker knows for certain that a genuine user uses a password that is four characters long drawn from a set of 100 characters. He decides to crack the password by brute force method. What is the maximum number of combinations he needs to test? How long would it take (in years) for him to crack the password if it takes 100 msec to test each password? [4]


A Brute-Force attack is method of breaking a cipher (that is, to decrypt a specific encrypted text) by trying every possible key. Feasibility of brute force attack depends on the key length of the cipher, and on the amount of computational power available to the attacker. Cain's Brute-Force Password Cracker tests all the possible combinations of characters in a pre-defined or custom character set against the encrypted passwords loaded in the brute-force dialog.

The key space of all possible combination of passwords to try is calculated using the following formula:

KS = L^(m) + L^(m+1) + L^(m+2) + ........ + L^(M)

where
L = character set length
m = min length of the key
M = max length of the key

For example, when you want to crack an half of a LanManager passwords (LM) using the character set "ABCDEFGHIJKLMNOPQRSTUVWXYZ" of 26 letters, the brute-force cracker have to try KS = 26^1 + 26^2 + 26^3 + ...... + 26^7 = 8353082582 different keys. If you want to crack the same password using the character set "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}\:;"'<>,.?/", the number of keys to try rises at 6823331935124.

Exhaustive key search cracking could take a very long time to complete however if the character set is the right one the password will be cracked; its only matter of time

2. a)List any four biometric methods other than voice print used for user authentication. Discuss the user registration and authentication procedures in the case of voice print biometric key. [8]


Voice-based biometric security must support identification, verification, and classification. Voice biometrics, however, are an excellent option for application security. Voice biometrics, which measure the user's voice, require only a microphone—a robust piece of equipment as close as the nearest telephone. A voiceprint is a set of measurable characteristics of a human voice that uniquely identifies an individual. These characteristics, which are based on the physical configuration of a speaker's mouth and throat, can be expressed as a mathematical formula. The term applies to a vocal sample recorded for that purpose, the derived mathematical formula, and its graphical representation. Voiceprints are used in voice ID systems for user authentication.
Voice biometrics provide three different services: identification, verification, and classification. Speaker verification authenticates a claim of identity, similar to matching a person's face to the photo on their badge. Speaker identification selects the identity of a speaker out of a group of possible candidates, similar to finding a person's face in a group photograph. Speaker classification determines age, gender, and other characteristics. Here, I'll focus on speaker verification resources ("verifiers").
Older verifiers used simple voiceprints, which are essentially verbal passwords. During verification, the resource matches a user's current utterance against a stored voiceprint.
Modern verifiers create a model of a user's voice and can match against any phrase the user utters. This is a terrific advantage. First, ordinary dialogue can be used for verification, so an explicit verification dialogue may be unnecessary. Second, applications can challenge users to speak random phrases, which make attacks with stolen speech extremely difficult.
Architecture, Resources
The prototype I present uses a telephony server to connect to the telephone network, a speech-technology server, and an application server to execute my code and control the other two servers; see Figure 1.
For the telephony server, speech-technology resource server, and application server, I use BeVocal's free developer hosting (http://cafe.bevocal.com/). BeVocal hosts VoiceXML-based applications. VoiceXML is an open specification from the W3C's "voice browser" working group (http://www.w3.org/Voice/). XML-based VoiceXML lets you write scripts with dialogues that use spoken or DTMF input, and text-to-speech or prerecorded audio for output. My scripts reside on the Internet and are fetched by the VoiceXML server via HTTP. Since the VoiceXML specification does not define a voice biometrics API, I used BeVocal's extensions to VoiceXML.
Another company that offers voice biometrics hosting is Voxeo (http://techpreview.voxeo.com/); Voxeo uses a different API. Voxeo lets you send tokens through HTTP to initiate calls from the VoiceXML server to users, which is convenient for web-based applications—not to mention more secure, as the application can easily restrict the calls to predefined telephone numbers. Both BeVocal and Voxeo offer free technical support—and they need to because documentation is often sparse or incorrect. Loggers track script execution and report errors, but you'll need your sleuthing skills to uncover the actual errors.
Enrollment
Before users can use the verifier, the verifier must obtain a model of the user's voice—users must enroll. During enrollment, users speak several phrases, usually similar to those used during verification. Listing One highlights the enrollment application (the complete source code and related files are available electronically; see "Resource Center," page 5).
Users' voice models are stored in a database at the VoiceXML server. Each developer has a separate database, and the developer assigns keys to each user. Generally, users speak or enter ID numbers, which act as the keys.
VoiceXML is based around forms, each with several fields to be filled. After collecting user ID numbers in a previous form, Listing One's tag starts collecting speech for enrollment. The tags create JavaScript variables, which are initialized via JavaScript functions (not shown) with numeric and text versions of a four-digit random number. BeVocal's tag activates both a verifier and speech-recognition resource. The keyExpr attribute of gives the verifier the key under which to store the voice model; in our case, the ID number. The name attribute defines a field that accepts the results of recognition, and type specifies the input to expect: a four-digit number. A tag sends text to the text-to-speech resource, which plays it to the user. The tag introduces a pause between the introductory prompt and challenge phrase. The tag is a directive to the text-to-speech system: The string "1234" should be pronounced "one two three four" and not "one thousand two hundred thirty four."
If users do not speak, the tag is activated; if the user's utterance does not match the grammar (is not a four-digit number), the tag is activated. In either case, a counter decrements; when the counter drops to zero, I emulate transfer to a human agent. This counter defends the application against malicious users who tie up the server, and helps users who are having trouble.
When user utterances match the grammar, the tag is activated, and compares the utterance with the challenge. This ensures that the verifier hasn't inadvertently collected noise and mistaken it for a valid utterance—and that someone is not trying to spoof the system with prerecorded utterances. If the utterance matches the challenge, the application goes to the next step via the tag; if they do not match, the recognition result is reset via the tag, which causes the to execute again. In the remainder of the enrollment application, users repeat a different four-digit number and current date.
Verification
To verify a user's identity, a user first claims an identity; in our case, by providing an ID number. Listing Two is the application after a user has made a claim.
The BeVocal API does not let you check whether the database of voice models actually contains the needed model. Instead, if the database key is incorrect, the server interrupts itself in midprompt when the mistake is discovered—which annoys me and users. Fortunately, a little judicious hacking solves the problem. Listing Two(a) starts with the tag, which activates the verifier and speech-recognition resource, and defines both a field to receive the results and the type of input expected. The identity claim is passed to the verifier via the keyExpr attribute. The tag sets the total time to perform recognition to 1 ms, and the prompt is only 1-ms long. The first is processed if the key is in the database. The second is activated if the key is invalid; the user is sent back to the form that collects the ID number. As in enrollment, too many errors will send a user to an operator.
With a valid key, the system moves on to Listing Two(b). Variables are initialized with a random challenge phrase, and an announcement plays to users. The tag starts a verifier and speech-recognition resource, and users are asked to speak the four-digit challenge number. If users are silent () or say something other than a number (), reprompts them.
If users speak a number, the tag is activated, and checks the number of attempts. If the user is still under the limit, the first compares the utterance to the challenge number. If they are not the same, resets the results and users try again. Otherwise, tags examine the decision of the verifier, which returns one of three confidence levels. If users are accepted, the transaction is approved; if users are decisively rejected, they are sent to operators for further assistance. If neither is true—if the result is "unsure"—users are sent to further tags (not shown) with a second or third round of challenge phrases. Users who cannot be verified are sent to operators.

There does not appear to be any one method of biometric data gathering and reading that does the "best" job of ensuring secure authentication. Each of the different methods of biometric identification have something to recommend them. Some are less invasive, some can be done without the knowledge of the subject, some are very difficult to fake.
Face recognition: Of the various biometric identification methods, face recognition is one of the most flexible, working even when the subject is unaware of being scanned. It also shows promise as a way to search through masses of people who spent only seconds in front of a "scanner" - that is, an ordinary digital camera. Face recognition systems work by systematically analyzing specific features that are common to everyone's face - the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin and so forth. These numerical quantities are then combined in a single code that uniquely identifies each person.
Fingerprint identificationFingerprints remain constant throughout life. In over 140 years of fingerprint comparison worldwide, no two fingerprints have ever been found to be alike, not even those of identical twins. Good fingerprint scanners have been installed in PDAs like the iPaq Pocket PC; so scanner technology is also easy. Might not work in industrial applications since it requires clean hands. Fingerprint identification involves comparing the pattern of ridges and furrows on the fingertips, as well as the minutiae points (ridge characteristics that occur when a ridge splits into two, or ends) of a specimen print with a database of prints on file.
Hand geometry biometricsHand geometry readers work in harsh environments, do not require clean conditions, and forms a very small dataset. It is not regarded as an intrusive kind of test. It is often the authentication method of choice in industrial environments.
Retina scanThere is no known way to replicate a retina. As far as anyone knows, the pattern of the blood vessels at the back of the eye is unique and stays the same for a lifetime. However, it requires about 15 seconds of careful concentration to take a good scan. Retina scan remains a standard in military and government installations.
Iris scanLike a retina scan, an iris scan also provides unique biometric data that is very difficult to duplicate and remains the same for a lifetime. The scan is similarly difficult to make (may be difficult for children or the infirm). However, there are ways of encoding the iris scan biometric data in a way that it can be carried around securely in a "barcode" format. (See the SF in the News article Biometric Identification Finally Gets Started for some detailed information about how to perform an iris scan.)
SignatureA signature is another example of biometric data that is easy to gather and is not physically intrusive. Digitized signatures are sometimes used, but usually have insufficient resolution to ensure authentication.
Voice analysisLike face recognition, voice biometrics provide a way to authenticate identity without the subject's knowledge. It is easier to fake (using a tape recording); it is not possible to fool an analyst by imitating another person's voice.

Voice authentication, also known as “speaker verification”, is defined as the automated verification of a person’s claimed identity, based on unique characteristics of their voice. A simple microphone is enough to record the voice, then most of the algorithm are analysing the voice spectrum. Do not confuse speaker/voice recognition with speech recognition. Speech recognition is the recognition of what you are saying, and not who you are Do not confuse speaker/voice recognition with speech recognition. Speech recognition is the recognition of what you are saying, and not who you are

In biometrics, the instance of a security system failing to verify or identify an authorized person. Also referred to as a type I error, a false rejection does not necessarily indicate a flaw in the biometric system; for example, in a fingerprint-based system, an incorrectly aligned finger on the scanner or dirt on the scanner can result in the scanner misreading the fingerprint, causing a false rejection of the authorized user.
The false rejection rate, or FRR, is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. A system’s FRR typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.
Crossover Error Rate (CER) is a comparison metric for different biometric devices and technologies. It is the error rate at which the false acceptance rate (FAR) equals the false rejection rate (FRR). As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. The CER is the point at which these two rates are equal, or cross over.
In biometrics, the instance of a security system incorrectly verifying or identifying an unauthorized person. Also referred to as a type II error, a false acceptance typically is considered the most serious of biometric security errors as it gives unauthorized users access to systems that expressly are trying to keep them out.
The false acceptance rate, or FAR, is the measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. A system’s FAR typically is stated as the ratio of the number of false acceptances divided by the number of identification attempts.
4. c) What are the three phases of authentication in Kerberos v4? Discuss each phase briefly bringing out clearly how certain security threats are overcome in each phase. [9]
Kerberos Authentication Process
There are several phases to Kerberos authentication. In the first phase, the client obtains credentials to be used to request access to kerberized services. In the second phase, the client requests authentication for a specific service. In the final phase, the client presents those credentials to the service. Figure 2-8 and Figure 2-9 illustrate this process.
Figure 2-8 shows the first phase, in which the client, labeled Alice in the figure, requests credentials from the Kerberos KDC.

Figure 2-8 Requesting credentials from the KDC
The steps are as follows:
1. Alice sends a request to the KDC for credentials. The KDC prompts Alice for a user name and password (or other authentication information), checks the authentication information against the data in the directory server, and (assuming the authentication is valid) gets Alice’s private key from the directory server.
2. The KDC creates an encryption key (called a session key) for use by Alice the next time she wants to request service from a kerberized server and encrypts the key with Alice’s private key. It also creates an identification credential called a ticket-granting ticket (TGT), which contains a copy of the session key encrypted with the KDC’s private key (plus other information). The KDC sends both credentials to Alice. Alice decrypts the session key and stores it for later. She can’t decrypt the TGT or modify it, but saves it for later use as well. Both the session key and the TGT include timestamps and expiration times to limit the chances of their being intercepted and used by unauthorized persons.
In the second phase, Alice uses the TGT to request identification credentials from the KDC in order to use a kerberized service, labeled Bob in the figure. Because Alice has a TGT, the KDC does not have to reauthenticate her, so Alice is not asked again for her password. In the third phase, Alice sends the credentials to Bob, and Bob sends authentication information to Alice. The second and third phases are illustrated in Figure 2-9.

Figure 2-9 Authenticating the client and server with a Kerberos ticket

The steps are as follows:
1. Alice sends to the KDC a request to open a session with Bob, together with the TGT that the KDC issued earlier. Because the TGT is encrypted with the KDC’s private key, it cannot have been altered, and the KDC accepts it as proof that Alice has been authenticated.
2. The KDC decrypts the TGT and extracts the session key it issued earlier to Alice. (Recall that when the KDC sent the session key to Alice earlier, it was encrypted with Alice’s private key, so only the KDC and Alice can know this session key.) The KDC then generates a random value, encrypts it with the session key, and sends it to Alice. It also creates a ticket for Alice to send to Bob. This ticket contains a new session key, the same random value that was sent to Alice, and an indication that the request for a session came from Alice. This key is encrypted with Bob’s private key, so Alice (or an intruder) cannot read or modify it. The KDC sends the ticket to Alice.
3. Alice sends the ticket to Bob. Bob decrypts it with his private key. Because only the KDC and Bob know this key, Bob knows the ticket was issued by the KDC. Bob extracts the random value and the session key, and encrypts the random value with the session key.
4. Bob sends the encrypted value to Alice. Because Alice knows that only she and Bob have this session key, she knows that the credential must have come from Bob. She checks the value and compares it with the one she received earlier from the KDC. If they match, she knows the message was not interfered with, and she accepts that Bob has been authenticated by the KDC.
Note that this procedure does not involve sending either Alice’s or Bob’s private key over the network. Both Alice and Bob are authenticated to each other, so Bob knows that Alice is a valid user and Alice knows that Bob is the server with which she intended to do business. All credentials are further protected with timestamps and expiration times. Kerberos has other security features as well; for details, see the MIT Kerberos website at http://web.mit.edu/kerberos/.
Kerberos and Authorization
Kerberos is an authentication protocol, not an authorization protocol. That is, it verifies the identities of both the client and the server, but it does not include any information about whether the client has a right to use the services provided by the server. In terms of the preceding discussion, once Bob is satisfied that the request for services really came from Alice, it is up to Bob to determine whether to grant Alice access to those services. The ticket that Bob receives from Alice contains enough information about Alice to enable Bob to make that determination.
Starting with version 5, Kerberos tickets provide a mechanism for the tamperproof transmission of authorization information. When the client requests a ticket, it includes information about itself in the request and can request that the KDC include additional authorization in the ticket. The KDC inserts this information into the authorization data field of the ticket and forwards it to the server. Kerberos does not define how this authorization information should be encoded; it provides only a secure mechanism for its transmission. It is up to the client and server to implement the authorization protocol.
Single Signon
Mac OS X uses Kerberos for single signon authentication, which relieves users from entering a name and password separately for every kerberized service. With single signon, after a user enters a name and password in the login window, the user does not have to enter a name and password for Apple file service, mail service, or other services that use Kerberos authentication. In other words, Kerberos authenticates the user once, and thereafter uses tickets to identify the user (see “Authentication, Identification, and Authorization”).
To take advantage of the single signon feature, services must be configured for Kerberos authentication and users and services must use the same Kerberos KDC. For Mac OS X Server v10.3 and later, user accounts in an LDAP directory that have a password type of Open Directory use the server’s built-in KDC. These user accounts are automatically configured for Kerberos and single signon. The server’s kerberized services also use the server’s built-in KDC and are automatically configured for single signon. See Mac OS X Server Open Directory Administration (at http://www.apple.com/server/documentation/) for details.
Large Networks
In “Kerberos Authentication Process,” the Kerberos Key Distribution Center (KDC) is treated as a single entity. However, a KDC consists of two separate software processes: the ticket-granting server and the authentication server. The authentication server verifies a user’s identity by prompting the user for a name and password and asking the directory server for the user’s password. The authentication server then looks up the user’s private key, generates a session key, and creates the ticket-granting ticket (TGT), as shown in Figure 2-8. Thereafter, the user sends the TGT to the ticket-granting server whenever the services of a kerberized server are required, and the ticket-granting server issues the ticket, as shown in Figure 2-9.
Many networks are too large to efficiently store all the information about users and computers in a single directory server. Instead, a distributed model is used, where there are a number of directory servers, each serving a subset of the network. In Kerberos parlance, this subset is referred to as a realm. Each realm has its own ticket-granting server and authentication server. If a user needs a ticket for a service in a different realm, the authentication server issues a TGT and the user sends the TGT to the authentication server, as before. The authentication server then issues a ticket, not for the desired service but for the remote ticket-granting server for the realm that the service is in. The user then sends the ticket to the remote ticket-granting server to get the ticket for the actual service.
In fact, in a large network, the user might have to contact the remote ticket-granting server in a sequence of realms before finally getting the ticket for the desired service. When a ticket for the application service is finally issued, it contains an enumeration of all the realms consulted in the process of requesting the ticket. An application server that applies strict authorization rules is permitted to reject authentication that passes through realms that it does not trust.
Although limited cross-realm authentication was possible in Kerberos v4, the full implementation of this feature is new in Kerberos v5.
Public Keys
In principle, public key authentication works in much the same way as private key authentication, with one major difference: public keys do not have to be kept secret, so there is no need to encrypt them or send them over secure channels. The public key can be provided by a server, in a certificate, or through some other method. Figure 2-10 illustrates public key authentication using an authentication server.

Figure 2-10 Public key authentication

The steps are as follows:
1. Alice sends Bob a request to talk.
2. Bob generates a random value and sends it to Alice as a challenge.
3. Bob requests Alice’s public key from the authentication server.
4. The authentication server sends the unencrypted public key to Bob.
5. Alice encrypts the random value with her private key and sends it to Bob.
6. Bob decrypts the value with Alice’s public key.
7. Bob compares the decrypted value with the original value to verify that they are identical. Alice has now authenticated herself to Bob.
Bob can authenticate himself to Alice in exactly the same way.
Notice that there is no need for the authentication server to store any sensitive material: the public keys do not have to be stored securely, and the authentication server does not need to hold passwords because it never has to verify one. However, it is necessary to ensure that no one alters the public keys stored in the authentication server. Otherwise, Eve, for example, could substitute her public key for Alice’s and then could impersonate Alice. Actual implementations of server-based public key authentication systems, therefore, such as used by Novell Corporation’s NDS (Novell Directory Services), include additional security features.
Note, however, that it is not necessary to have an authentication server in order to use public key authentication. Digital certificates can take the place of a central distributor of public keys.
Certificates
The problem of ensuring that a public key actually belongs to the entity you wish to authenticate can be addressed using digital certificates. Authentication using a digital certificate is illustrated in Figure 2-11.

Figure 2-11 Authentication with a digital certificate

The steps are as follows:
1. Alice sends Bob a request to talk.
2. Bob generates a random value and sends it to Alice as a challenge.
3. Alice encrypts the value with her private key and sends it to Bob. She also sends Bob her digital certificate containing her public key.
4. Bob verifies the digital certificate and uses the public key to decrypt the value.
5. Bob compares the decrypted value to the original value, verifying that it was truly Alice who sent him the certificate.
In practice, Alice could digitally sign her response to Bob rather than separately encrypting the challenge. Certificates are described in more detail in “Digital Certificates,” and digital signatures are discussed in “Digital Signatures.”
January-2005 [3]
3. d) Explain the difference between identification and authentication. [3]
Authentication is the process by which a user establishes his or her identity when accessing a network application or service. In the identification phase, the server is informed of a user's identity, after which the server asks for authentication, or proof, that the user is who she says she is. Several identification processes consider a username and password combination to be an effective authentication process. User Identification: In virtue of Data base server Identification tries to find whether you are registered user in the database or not. It applies to whole database server. Authentication: It applies for special Privileges for a user in the database. Like whether a user is authenticated to run system procedures or not. Or whether he is authenticated to create new users or not.
January-2006 [6]
7. Write short notes on any three:
iv) Biometrics [6]
Biometrics are used to identify the input sample when compared to a template, used in cases to identify specific people by certain characteristics.
possession-based
using one specific "token" such as a security tag or a card
knowledge-based
the use of a code or password
A biometric system can provide the following two functions [21]:
Verification
Authenticates its users in conjunction with a smart card, username or ID number. The biometric template captured is compared with that stored against the registered user either on a smart card or database for verification.
Identification
Authenticates its users from the biometric characteristic alone without the use of smart cards, usernames or ID numbers. The biometric template is compared to all records within the database and a closest match score is returned. The closest match within the allowed threshold is deemed the individual and authenticated
Types of Biometrics
Physiological
Iris
Fingerprint (including nail)
Hand (including knuckle, palm, vascular)
Face
Voice
Retina
DNA
Even Odor, Earlobe, Sweat pore, Lips
Behavioral
Signature
Keystroke
Voice
Gait
Increase security - Provide a convenient and low-cost additional tier of security.* Reduce fraud by employing hard-to-forge technologies and materials. For e.g.Minimise the opportunity for ID fraud, buddy punching. * Eliminate problems caused by lost IDs or forgotten passwords by using physiological attributes. For e.g. Prevent unauthorised use of lost, stolen or "borrowed" ID cards. * Reduce password administration costs. * Replace hard-to-remember passwords which may be shared or observed. * Integrate a wide range of biometric solutions and technologies, customer applications and databases into a robust and scalable control solution for facility and network access * Make it possible, automatically, to know WHO did WHAT, WHERE and WHEN! * Offer significant cost savings or increasing ROI in areas such as Loss Prevention or Time & Attendance. * Unequivocally link an individual to a transaction or event.


January-2007 [18]
1.
d) How is Dictionary attack different from Brute Force attack? [4]
brute force attack consists of trying every possible code, combination, or password until you find the right one.
In most cases, a dictionary attack will work more quickly than a brute force attack. A brute force attack is, however, more certain to achieve results eventually than a dictionary attack.
In contrast with a brute force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most likely to succeed, typically derived from a list of words in a dictionary
5.
b) How does biometric help in security electronic banking? [8]
Internet banking is the provision of banking services over the internet that gives people the opportunity of easy access to their banking activities.
A security apparatus receives a biometric input from a user, which then is compared to a template to determine a correlation factor. The correlation factor, a fixed code and either a time-varying code or a challenge code then are combined to generate a token. The token is displayed to the user, who then enters the token at an access device. The access device is coupled to a secure host system. The access device forwards the token to the host, which processes the token to determine whether access is permitted. In one embodiment, the host is an electronic banking system. If access to such system is permitted the user is allowed to perform an electronic funds transfer. The security apparatus in one embodiment is an integrated circuit card. Each apparatus includes a sensor for detecting the holder's biometric information (i.e., voice, signature, fingerprint), along with a processor and display. The processor generates the token which then is displayed to the holder.

7.
a) How is Kerberos designed to provide strong authentication for client/server applications by using secret key cryptography? Also mention the short comings of Kerberos. [6]

July-2007 [4]
5.
a) What is biometrics and biometrics authentication? [4]
Biometrics is the science and technology of measuring and analyzing biological data. In information technology, biometrics refers to technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes. We can authenticate an identity in three ways: by something the user knows (such as a password or personal identification number), something the user has (a security token or smart card) or something the user is (a physical characteristic, such as a fingerprint, called a biometric). (For more on authentication, go to QuickStudy: Authentication.)
More Computerworld QuickStudies
Listen to the Computerworld Techcast
All three authentication mechanisms have drawbacks, so security experts routinely recommend using two separate mechanisms, a process called two-factor authentication. But implementing two-factor authentication requires expensive hardware and infrastructure changes. Therefore, security has most often been left to just a single authentication method.
Passwords are cheap, but most implementations offer little real security. Managing multiple passwords for different systems is a nightmare, requiring users to maintain lists of passwords and systems that are inevitably written down because they can't remember them. The short answer, talked about for decades but rarely achieved in practice, is the idea of single sign-on. .
Using security tokens or smart cards requires more expense, more infrastructure support and specialized hardware. Still, these used to be a lot cheaper than biometric devices and, when used with a PIN or password, offer acceptable levels of security, if not always convenience.
Biometric authentication has been widely regarded as the most foolproof - or at least the hardest to forge or spoof. Since the early 1980s, systems of identification and authentication based on physical characteristics have been available to enterprise IT. These biometric systems were slow, intrusive and expensive, but because they were mainly used for guarding mainframe access or restricting physical entry to relatively few users, they proved workable in some high-security situations. Twenty years later, computers are much faster and cheaper than ever. This, plus new, inexpensive hardware, has renewed interest in biometrics.
Types of Biometrics
A number of biometric methods have been introduced over the years, but few have gained wide acceptance.
Signature dynamics. Based on an individual's signature, but considered unforgeable because what is recorded isn't the final image but how it is produced -- i.e., differences in pressure and writing speed at various points in the signature.
Typing patterns. Similar to signature dynamics but extended to the keyboard, recognizing not just a password that is typed in but the intervals between characters and the overall speeds and pattern. This is akin to the way World War II intelligence analysts could recognize a specific covert agent's radio transmissions by his "hand" -- the way he used the telegraph key.


January-2008 [13]
1.
c) How is Dictionary Attack method different from Heuristic Attack method? [4]
A dictionary attack consists of trying "every word in the dictionary" as a possible password for an encrypted message.
A dictionary attack is generally more efficient than a brute force attack, because users typically choose poor passwords.
Dictionary attacks are generally far less successful against systems that use passphrases instead of passwords.

4.
b) How does biometrics facilitate the IT security efforts of the Financial institutions? [6]
Financial Institutions use Biometric Identification as an Additional Layer of SecurityA recent Meridian Research study projects that by 2006, financial institutions will lose $8 billion to identity theft - but the true cost is much higher. For every dollar lost, four more are spent identifying and prosecuting the criminal. If you have sensitive data either in-house or networked via the Internet, biometric fingerprint identification adds an additional layer of security to personal and financial information.In particular, financial institutions can use fingerprint biometric applications to help protect sensitive financial data from unauthorized users and increase customer confidence that personal information is secure. Unlike a username and password, a fingerprint cannot be easily stolen. CheckQ, a check fraud prevention system, and VaultQ, a safe-deposit access system, are two applications that illustrate the use of fingerprint biometrics in the financial industry. Read our whitepaper about biometrics for financial institutions.Protect your assets, your customers and your bottom lineBad checks and identity thieves aren’t the only security challenges banks and financial institutions face. If you’re still using only passwords and PINs to protect your premises and computers or to verify employee time and attendance, you’re taking chances with your bottom line.US Biometrics provides a full range of integrated solutions and services for digital identity applications including physical access control, network security, electronic transaction security and time/attendance. Every product in our solution suite is fully scalable, adapted specifically for business and compatible with leading business software and operating platforms.
5.

c) Explain the difference between authentication and identification. [3]
Authentication is the process by which a user establishes his or her identity when accessing a network application or service. In the identification phase, the server is informed of a user's identity, after which the server asks for authentication, or proof, that the user is who she says she is. Several identification processes consider a username and password combination to be an effective authentication proces
User Identification: In virtue of Data base server Identification tries to find whether you are registered user in the database or not. It applies to whole database server.

Authentication: It applies for special Privileges for a user in the database. Like whether a user is authenticated to run system procedures or not. Or whether he is authenticated to create new users or not.