UNIVERSITY OF CYPRUS. Authentication. CS682 Advanced Security Topics
|
|
- Marvin Little
- 5 years ago
- Views:
Transcription
1 UNIVERSITY OF CYPRUS COMPUTER SCIENCE DEPARTMENT Authentication CS682 Advanced Security Topics GEORGE MOULLOTOS
2 Authentication Roadmap Introduction Problem Main Topics Related Work Cryptographing Hashing Architecture Operation Generation Variations and Extensions Policy Choices Attacks Methods Comparison Synergetic Authentication (SAuth) Architecture Protocol Details Operation Password Reuse Security Evaluation GEORGE MOULLOTOS - AUTHENTICATION 2
3 Introduction Problem Password Theft GEORGE MOULLOTOS - AUTHENTICATION 3
4 Introduction Problem Attack Scenarios Stolen files of password hashes Easily guessable passwords Visible passwords Same password for many systems or services Passwords stolen from users Password change compromised GEORGE MOULLOTOS - AUTHENTICATION 4
5 Introduction Main Topics Synergetic Authentication (SAuth) GEORGE MOULLOTOS - AUTHENTICATION 5
6 Introduction Related Work GEORGE MOULLOTOS - AUTHENTICATION 6
7 Introduction Related Work H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: loss-resistant password management. In ESORICS, pages , Kamouflage method of storing N 1 decoy passwords, N 10,000 First appearance of the term Shrisha Rao. Data and system security with failwords. U.S. Patent Application US2006/ A1, U.S. Patent Office, July 20, Patent of systems using Failwords Trick intruder thinking the attempt was successful and track GEORGE MOULLOTOS - AUTHENTICATION 7
8 Introduction Related Work Synergetic Authentication(SAuth) B. Adida. Beamauth: Two-factor web authentication with a bookmark. In Proceedings of the 14th ACM conference on Computer and Communications Security, BeamAuth, second-factor authentication to encounter Phising Uses tokens hidden in user s bookmars F. Benevenuto, T. Rodrigues, M. Cha, and V. Almeida. Characterizing user behavior in online social networks. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, Online Social Networks (OSN) workload analysis Concurrent and constant authentication among and social networks GEORGE MOULLOTOS - AUTHENTICATION 8
9 Introduction Cryptographing Hashing GEORGE MOULLOTOS - AUTHENTICATION 9
10 Introduction Cryptographing Hashing Base case Username & Password Username & H(Password) Password H(Password) GEORGE MOULLOTOS - AUTHENTICATION 10
11 Introduction Cryptographing Hashing Base case examplepassword 8ac b2e0eccdfe0fa24036b6d5 MD5 Hash GEORGE MOULLOTOS - AUTHENTICATION 11
12 Introduction Cryptographing Hashing Salting GEORGE MOULLOTOS - AUTHENTICATION 12
13 Introduction Cryptographing Hashing Salting saltexamplepassword examplepassword b01e9c5c f3ebc861bd MD5 Hash with salt User Specific or System Specific random salt is stored as well GEORGE MOULLOTOS - AUTHENTICATION 13
14 GEORGE MOULLOTOS - AUTHENTICATION 14
15 Architecture GEORGE MOULLOTOS - AUTHENTICATION 15
16 Architecture Main server Honeychecker sweetwords w i, 1 w i, 2 w i, 3 w i, 4... w i, k-2 w i, k-1 w i, k honeywords tough nut? sugarword honeywords H(w i, 1 ) H(w i, 2 ) H(w i, 3 ) H(w i, 4 )... H(w i, k-2 ) H(w i, k-1 ) H(w i, k ) c i, 1 = k-2 GEORGE MOULLOTOS - AUTHENTICATION 16
17 Architecture k sweetwords = potential passwords 1 sugarword = correct password k 1 honeywords = incorrect passwords 1 tough nut = very strong password whose has the adversary is unable to invert Any honeyword or even the sugarword can bee tough nuts GEORGE MOULLOTOS - AUTHENTICATION 17
18 Architecture - Honeychecker Separate hardened computer system Safe channel of communicating with main system Can raise an alarm when irregularity detected Simple database containing key values pairs of u i : c i u i = the i th user c i = a small integer indicating the position of the correct password of the user in the list w Accepts commands of two types: Set(i,j): set c i = j Check(i,j): return result of c i == j GEORGE MOULLOTOS - AUTHENTICATION 18
19 Architecture Simple example System suspends account on five consecutive unsuccessful login attempts Total sweetwords (k) of list w = 20 75% chance of sugarword not appearing in the first 5 elements of any random ordering of list w GEORGE MOULLOTOS - AUTHENTICATION 19
20 Operation GEORGE MOULLOTOS - AUTHENTICATION 20
21 Operation Login Let g be the proffered password If g == sugarword then login is successful Else if g!= honeyword then login is rejected Else if g == honeyword then Set alarm off Let login proceed Let login proceed to a honeypot system Trace the login source Log user s activities Shut down user s account and contact the user Shut down system and request new passwords from all users GEORGE MOULLOTOS - AUTHENTICATION 21
22 Operation Change of password / Register Use procedure Gen(k) to obtain: List w of k sweetwords List h of the hashes Value of c i Notify honeychecker with the value c i Store list h in the main server GEORGE MOULLOTOS - AUTHENTICATION 22
23 Generation GEORGE MOULLOTOS - AUTHENTICATION 23
24 Generation Flatness Adversarial game to define security of the Gen(k) algorithm Gen(k) runs and produces the list w and the c index of the correct password Adversary (algorithm) after retrieving the list w can do the following: Wins the game if guesses the correct password Gets caught if guesses a honeyword Don t play and pass GEORGE MOULLOTOS - AUTHENTICATION 24
25 Generation Flatness Let z be the expected probability of the adversary winning the game z >= 1 / k as adversary can win with a random guess on the k sweetwords ε-flat generation if maximum value of all adversaries winning probability z is ε, for some ε Gen(k) is ε-flat with ε = 1 / k (1 - ε) = 1-1 / k = (k - 1) / k probability of choosing a honeyword and getting caught For k = 20 => 20-1 / 20 = 0.95 => 95% of getting caught GEORGE MOULLOTOS - AUTHENTICATION 25
26 Generation Categories Technique Legacy-UI password changes Modified-UI password changes Chaffing Does not influence user on the procedure of picking a password Modified UI to interact with the user s password choices k - 1 honeywords are similar in style with the sugarword or at least plausible as legitimate passwords so that the adversary has difficulty to distinguish any of them from the others GEORGE MOULLOTOS - AUTHENTICATION 26
27 Generation Chaffing by tweaking tail-tweaking for t = 3 k = 10 p = examplepassword1$ examplepasswort7( examplepasswora2! examplepassworc4_ examplepassworf0# examplepassworl9} examplepassword1$ examplepassworl6@ examplepassworm3) examplepassworq5* examplepassworz8+ GEORGE MOULLOTOS - AUTHENTICATION 27
28 Generation Chaffing-with-a-password-model k = 10 p = examplepassword1$ Password does not influence the generation of honeywords mobopy? venlorhan WORFmgthness pizzhemix01 1erapc hellofrom23 examplepassword1$ sbgo dia GEORGE MOULLOTOS - AUTHENTICATION 28
29 Generation Chaffing-with-a-password-model W15 D1 S1 acknowledgement9& p = examplepassword1$ Password structure influences the generation of honeywords GEORGE MOULLOTOS - AUTHENTICATION 29
30 Generation Chaffing with tough nuts mobopy? venlorhan WORFmgthness? 1erapc hellofrom23 examplepassword? 02123dia Non tough nuts can be produced with any of the previous methods Tough nuts are literally uncracked and adversary does not have complete knowledge of the honeywords GEORGE MOULLOTOS - AUTHENTICATION 30
31 Generation take-a-tail p = examplepassword1$ Append 623 to your password p = examplepassword1$623 Use Chaffing by tweaking to produce the rest of the honeywords GEORGE MOULLOTOS - AUTHENTICATION 31
32 Variations and Extensions GEORGE MOULLOTOS - AUTHENTICATION 32
33 Variations and Extensions Random pick Ask user to provide k passwords or generate by an algorithm Randomly pick one to be the sugarword and inform user High risk of user remembering a honeyword GEORGE MOULLOTOS - AUTHENTICATION 33
34 Variations and Extensions Typo-safety Typos are a common way of actual users to enter a honeyword Gen(k) techniques (chaffing) should prevent honeywords to being easy for the user to enter them by mistake Error detection techniques can be used to detect typos GEORGE MOULLOTOS - AUTHENTICATION 34
35 Variations and Extensions Managing old passwords Paper suggests not to store old passwords in order to keep users safe Store passwords on full user population and may use Bloom Filters GEORGE MOULLOTOS - AUTHENTICATION 35
36 Variations and Extensions Storage optimization Optimize methods to reduce their storage For tail-tweaking Store only the hash of the head not the tail Dynamically compute w with all the possible tails and check for the sugarword s index GEORGE MOULLOTOS - AUTHENTICATION 36
37 Variations and Extensions Hybrid generation methods Combine methods of different honeyword generation strategies Simple hybrid scheme: Use chaffing-with-a-password to generate a seed of sweetwords of length k Apply chaffing-by-tweaking-digits to each seed sweetword of length k = k * k Randomly permute the k length list to obtain final list w GEORGE MOULLOTOS - AUTHENTICATION 37
38 Policy Choices GEORGE MOULLOTOS - AUTHENTICATION 38
39 Policy Choices Password Eligibility Password syntax Minimum or maximum length password Minimum number of digits Minimum number of special characters Dictionary words Password cannot be a word in the dictionary Password re-use Password should be different of any of the last r password of same user Most common passwords restriction Popular passwords restriction GEORGE MOULLOTOS - AUTHENTICATION 39
40 Policy Choices Failover Failover mode in case honeychecker has failed or became unreachable All sweetwords are acceptable passwords Buffering of messages and logging for later processing by the honeychecker GEORGE MOULLOTOS - AUTHENTICATION 40
41 Policy Choices Per-user policies Honeypot accounts Help identify theft of Main Server and list w Distinguish DoS attack Selective alarms Raise alarm if honeyword hits are noticed Different policies based on user s role GEORGE MOULLOTOS - AUTHENTICATION 41
42 Policy Choices Per-sweetword policies Different action on each sweetword attempt like: Allow login Allow for single login Raise silent alarm Flexible policies from the side of the honeychecker GEORGE MOULLOTOS - AUTHENTICATION 42
43 Attacks GEORGE MOULLOTOS - AUTHENTICATION 43
44 Attacks General password guessing Legacy-UI methods cannot do anything about it Modified-UI methods can affect this threat Reduce probability of successful attack by a factor of 1000 GEORGE MOULLOTOS - AUTHENTICATION 44
45 Attacks Targeted password guessing User s personal information can help adversary distinguish the sugarword Deanonymize users based to their real-word identities Use social network graphs or usernames Find demographic or biographic data based on a user s identity Such data can be used to guess answers to personal questions in password recoveries GEORGE MOULLOTOS - AUTHENTICATION 45
46 Attacks Attacking the Honeychecker Can cause failovers as discussed before May try to use Set and Check methods by fooling the Honeychecker GEORGE MOULLOTOS - AUTHENTICATION 46
47 Attacks Likelihood attack Adversaries analyze honeywords Can distinguish honeyword generator s passwords from real user s passwords For example NewtonSaid:F=ma is not a password that a honeyword generate would produce GEORGE MOULLOTOS - AUTHENTICATION 47
48 Attacks Denial-of-service Adversary feasibly submit honeyword instead of the sugarword Trying to simulate DoS attacks to hide their true interests DoS attacks are not so strongly treated as a honeyword attack GEORGE MOULLOTOS - AUTHENTICATION 48
49 Attacks Multiple systems User maintains same password in two distinct systems Intersection Attack Adversary intersects two lists w to find the user s password Sweetword-submission Attack Adversary tries the honeywords from the first list to the second system and vice-versa of the first system are just wrong passwords on the second system GEORGE MOULLOTOS - AUTHENTICATION 49
50 Methods comparison GEORGE MOULLOTOS - AUTHENTICATION 50
51 Synergetic Authentication(SAuth) GEORGE MOULLOTOS - AUTHENTICATION 51
52 Synergetic Authentication(SAuth) Architecture GEORGE MOULLOTOS - AUTHENTICATION 52
53 Synergetic Authentication(SAuth) Architecture Target Service: S Target Service: S Vouching Services: V Vouch and Authenticate Selected Vouching Service: V User maintains account on both the target and the selected vouching service GEORGE MOULLOTOS - AUTHENTICATION 53
54 Synergetic Authentication(SAuth) Architecture User is asked to choose from a list of trusted vouching services The target service synergizes with the selected vouching service with the use of protocol messages Note that the authentication on the two services MUST be done on associated accounts GEORGE MOULLOTOS - AUTHENTICATION 54
55 Synergetic Authentication(SAuth) Protocol Details GEORGE MOULLOTOS - AUTHENTICATION 55
56 Synergetic Authentication(SAuth) Protocol Details Security and Trust SAuth s relies on the trust between the various vouching services If any vouching service fails to meet security expectations then it is discarded Maintaining a group of vouching services makes the SAuth more flexible GEORGE MOULLOTOS - AUTHENTICATION 56
57 Synergetic Authentication(SAuth) Protocol Details Activation In any new setup an association step is required between the target service and the potential vouching services Target service generates an anonymous alias for each user User is expected to provide the alias to the vouching services for the association Match between the services is done by proof of the alias GEORGE MOULLOTOS - AUTHENTICATION 57
58 Synergetic Authentication(SAuth) Protocol Details Authenticity Special measures needed in order to ensure authenticity of messages Each protocol message is required to carry the: Service: identifier of the sender service, could be the actual domain or a URI or an alias of the service Signature: cryptographic signature (RSA-SHA1) computed using the private key Signed fields: list of the names of the parameters decrypted using the public key of the service (X.509 certificate) GEORGE MOULLOTOS - AUTHENTICATION 58
59 Synergetic Authentication(SAuth) Protocol Details Password reset Use of typical method of ing to a trusted address after some security questions SAuth enhances this model by adding a step of verification with the vouching services GEORGE MOULLOTOS - AUTHENTICATION 59
60 Synergetic Authentication(SAuth) Protocol Details Usability Advantage of users maintaining concurrently many tabs open Authentication state is stored in the form of HTTP cookies Auto-completion features and authentication from the cookies SAuth aligned with sign in with Google or sign in with Facebook mechanisms Highly unlikely of a user not holding an account in any vouching services GEORGE MOULLOTOS - AUTHENTICATION 60
61 Synergetic Authentication(SAuth) Protocol Details Availability Target service is fully capable of acting on its own in case of the vouching service s failure Additional actions can be done until the vouching service is available again: Limited functionality service Use of security questions GEORGE MOULLOTOS - AUTHENTICATION 61
62 Synergetic Authentication(SAuth) Protocol Details Password Compromise Alerts SAuth acts as a warning system for when passwords are compromised Adversary must online guess the user s passwords for the vouching service A user repeatedly failing to authenticate is a suspect GEORGE MOULLOTOS - AUTHENTICATION 62
63 Synergetic Authentication(SAuth) Operation GEORGE MOULLOTOS - AUTHENTICATION 63
64 Synergetic Authentication(SAuth) Operation Target Service: Gmail User Agent: Google Chrome Vouching Service: Facebook GEORGE MOULLOTOS - AUTHENTICATION 64
65 Synergetic Authentication(SAuth) Operation Registration messages GEORGE MOULLOTOS - AUTHENTICATION 65
66 Synergetic Authentication(SAuth) Operation Authentication messages GEORGE MOULLOTOS - AUTHENTICATION 66
67 Synergetic Authentication(SAuth) Operation User-agent redirection messages GEORGE MOULLOTOS - AUTHENTICATION 67
68 Synergetic Authentication(SAuth) Password Reuse GEORGE MOULLOTOS - AUTHENTICATION 68
69 Synergetic Authentication(SAuth) Password Reuse - Decoys Password sharing among many services is a quite common case Decoys / is a possible solution as we have seen earlier Two requirements for decoys generation: There should be no single mask describing the set of the decoys Password chosen must be likeable to be produced by humans as well Major Difference from previous paper: ALL decoy passwords are accepted as valid passwords! GEORGE MOULLOTOS - AUTHENTICATION 69
70 Synergetic Authentication(SAuth) Security Evaluation GEORGE MOULLOTOS - AUTHENTICATION 70
71 Synergetic Authentication(SAuth) Security Evaluation Let G B be the probability of an adversary successfully guessing both passwords Let G S be the probability of the adversary guessing just the second assuming knowledge of the first Let D(s) be the distribution of users that share same password on both services Let PS denote a given password space GEORGE MOULLOTOS - AUTHENTICATION 71
72 Synergetic Authentication(SAuth) Security Evaluation Without Decoys Original design fails to improve the security of accounts that reuse their passwords GEORGE MOULLOTOS - AUTHENTICATION 72
73 Synergetic Authentication(SAuth) Security Evaluation With Decoys Decoys significantly improve the security GEORGE MOULLOTOS - AUTHENTICATION 73
74 Security Evaluation Comparison GEORGE MOULLOTOS - AUTHENTICATION 74
75 Security Evaluation Comparison GEORGE MOULLOTOS - AUTHENTICATION 75
76 Questions GEORGE MOULLOTOS - AUTHENTICATION 76
Honeywords: making password-cracking detectable
Honeywords: making password-cracking detectable The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Ari
More informationSecurity Enhancement by Achieving Flatness in Honeywords
Security Enhancement by Achieving Flatness in Honeywords Ajab Karishma 1, Borchate Pranali 2, Jadhav Ashwini 3 Jadhav Shubhangi 4 1234, Dept Of Computer Engineering, SGOI COE, Marashatra, India Abstract
More informationDetecting and Analyzing Password Database crack Using Honeyindex
RESEARCH ARTICLE Detecting and Analyzing Password Database crack Using Honeyindex 1 Priyanka Anil Ghule, 2 Prof. Sonali Bhutad 1,2 Computer Engineering, Shah & Anchor Kutchhi Engineering College, Mumbai
More informationENHANCEMENT OF USER AUTHENTICATION SYSTEM BY REDUCING THE STORAGE OF HONEYWORD SCHEME
ENHANCEMENT OF USER AUTHENTICATION SYSTEM BY REDUCING THE STORAGE OF HONEYWORD SCHEME Rupali Gholap 1, N. L. Bhale 2 1 ME Student, Department of Computer Engineering, MCOERC, Maharashtra, India 2 HOD,
More informationHoneywords: Making Password Cracking Detectable
International Journal of Engineering Research and Advanced Technology (IJERAT) DOI: http://dx.doi.org/10.7324/ijerat.2018.3218 E-ISSN : 2454-6135 Volume.4, Issue 4 April -2018 Honeywords: Making Password
More informationSelecting the Honeywords from Existing User s Passwords Using Improved Hashing and Salting Algorithm
International Journal of Computer (IJC) ISSN 2307-4523 (Print & Online) Global Society of Scientific Research and Researchers http://ijcjournal.org/ Selecting the Honeywords from Existing User s Passwords
More informationA New Storage Optimized Honeyword Generation Approach for Enhancing Security and Usability
A New Storage Optimized Honeyword Generation Approach for Enhancing Security and Usability Nilesh Chakraborty Department of Computer Science & Engineering Indian Institute of Technology Patna Bihar, India
More informationUser Authentication. Hoda Maleki Department of Electrical & Computer Engineering University of Connecticut
CSE 5095 & ECE 6095 Spring 2016 Instructor Marten van Dijk Lecture Your System Security Topic # User Authentication Hoda Maleki Department of Electrical & Computer Engineering University of Connecticut
More informationSolicited Honeyindexed Password of an Universal Set of Honeyindex Using Shuffling Technique Ensuring Safty of Files in Distributed Environment
e-issn 2455 1392 Volume 2 Issue 6, June 2016 pp. 509 517 Scientific Journal Impact Factor : 3.468 http://www.ijcter.com Solicited Honeyindexed Password of an Universal Set of Honeyindex Using Shuffling
More informationA Survey on Honeyword Based Password Cracking Detection System
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IMPACT FACTOR: 5.258 IJCSMC,
More informationHoneywords for Password Security and Management
Honeywords for Password Security and Management Ms.Manisha Bhole Student,Dept of Computer Science and Engineering,SSBT COET,Jalgaon,Maharashtra,India ---------------------------------------------------------------------***---------------------------------------------------------------------
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationPass, No Record: An Android Password Manager
Pass, No Record: An Android Password Manager Alex Konradi, Samuel Yeom December 4, 2015 Abstract Pass, No Record is an Android password manager that allows users to securely retrieve passwords from a server
More informationCS 161 Computer Security
Popa & Weaver Fall 2016 CS 161 Computer Security 10/4 Passwords 1 Passwords are widely used for authentication, especially on the web. What practices should be used to make passwords as secure as possible?
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationHY-457 Information Systems Security
HY-457 Information Systems Security Recitation 1 Panagiotis Papadopoulos(panpap@csd.uoc.gr) Kostas Solomos (solomos@csd.uoc.gr) 1 Question 1 List and briefly define categories of passive and active network
More informationTroubleshooting. EAP-FAST Error Messages CHAPTER
CHAPTER 6 This chapter describes EAP-FAST error messages. This chapter also provides guidelines for creating strong passwords. The following topics are covered in this chapter:, page 6-1 Creating Strong
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationIn an effort to maintain the safety and integrity of our data and your information, TREK has updated the web site security.
In an effort to maintain the safety and integrity of our data and your information, TREK has updated the web site security. Here s what has changed: The next time you login to EzQuote, after you enter
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationCryptographic Hash Functions. Secure Software Systems
1 Cryptographic Hash Functions 2 Cryptographic Hash Functions Input: Message of arbitrary size Output: Digest (hashed output) of fixed size Loreum ipsum Hash Function 23sdfw83x8mjyacd6 (message of arbitrary
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationProgressive Authentication in ios
Progressive Authentication in ios Genghis Chau, Denis Plotnikov, Edwin Zhang December 12 th, 2014 1 Overview In today s increasingly mobile-centric world, more people are beginning to use their smartphones
More informationChapter 3: User Authentication
Chapter 3: User Authentication Comp Sci 3600 Security Outline 1 2 3 4 Outline 1 2 3 4 User Authentication NIST SP 800-63-3 (Digital Authentication Guideline, October 2016) defines user as: The process
More informationSACPCMP GETTING STARTED GUIDE. Copyright PrivySeal Limited
SACPCMP GETTING STARTED GUIDE GETTING STARTED Welcome to PrivySeal s Digital Accreditation Service. We verify your professional qualification to prove your expertise, build trust and help you win and retain
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationRethinking Authentication. Steven M. Bellovin
Rethinking Authentication Steven M. https://www.cs.columbia.edu/~smb Why? I don t think we understand the real security issues with authentication Our defenses are ad hoc I regard this as a step towards
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationBEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN
SESSION ID: GPS-R09B BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN Sid Desai Head of Business Development Remme.io @skd_desai Agenda Our relationship to our digital-selves Evolution of Authentication
More informationFIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module
FIPS 140-2 Security Policy for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module Hardware Version: 88i8925, 88i8922, 88i8945, and 88i8946 Firmware Version: Solaris2-FIPS-FW-V1.0 Document Version:
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationAuthentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)
Authentication SPRING 2018: GANG WANG Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU) Passwords, Hashes, Salt Password database Username Plaintext Password Not a good idea to store plaintext
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationHASHING AND ENCRYPTING MANAGER CONTENT
HASHING AND ENCRYPTING EMAIL MANAGER CONTENT VERSION MANAGEMENT This document can be retrieved from the author. VERSION HISTORY Version Date Author Reason for issue 1.0 02/08/2017 B Clark First Version
More informationHASHING AND ENCRYPTING MANAGER CONTENT
HASHING AND ENCRYPTING EMAIL MANAGER CONTENT Hashing and Encrypting in Email Manager Copyright Alterian 2017 1 VERSION MANAGEMENT This document can be retrieved from the author. VERSION HISTORY Version
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/1516/ Chapter 4: 1 Chapter 4: Identification & Authentication Chapter 4: 2 Agenda User authentication Identification & authentication Passwords
More informationConcurrent Distributed Authentication Model (CDAM)
Concurrent Distributed Authentication Model (CDAM) Aladdin T. Dandis Information Security Compliance Officer Jordan egovernment Program / MoICT 1 Agenda Introduction CDAM Ver. 1.0 Pros and Cons CDAM Ver.
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 9: Authentication Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Definition of entity authentication Solutions password-based
More informationHelpful Tips for Global UGRAD Applicants
Helpful Tips for Global UGRAD Applicants Thank you for your interest in the Global UGRAD Program. Below are some tips to help you complete your application. Read all instructions carefully Please follow
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationSession objectives. Identification and Authentication. A familiar scenario. Identification and Authentication
Session objectives Background Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 3 Recognise the purposes of (password) identification.
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationNaviance ID Login Reference Guide
Naviance ID Login Reference Guide Topic & Audience Topic: Naviance ID Staff Login Audience: Anyone with login credentials for Naviance. *Please note that this does not apply to any single sign-on users;
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationKT-4 Keychain Token Welcome Guide
SafeNet Authentication Service KT-4 Keychain Token Welcome Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More informationSecurity and Privacy
E-mail Security and Privacy Department of Computer Science Montclair State University Course : CMPT 320 Internet/Intranet Security Semester : Fall 2008 Student Instructor : Alex Chen : Dr. Stefan Robila
More informationSECURED PASSWORD USING HONEYWORD ENCRYPTION
ISSN: 0976-3104 SPECIAL ISSUE: COMPUTER SCIENCE ARTICLE SECURED PASSWORD USING HONEYWORD ENCRYPTION Prashant D. Shinde 1*, Suhas H. Patil 2 1 Department of Computer Engineering, Bharati Vidyapeeth (Deemed
More informationAuthentication KAMI VANIEA 1
Authentication KAMI VANIEA FEBRUARY 1ST KAMI VANIEA 1 First, the news KAMI VANIEA 2 Today Basics of authentication Something you know passwords Something you have Something you are KAMI VANIEA 3 Most recommended
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationHardware One-Time Password User Guide November 2017
Hardware One-Time Password User Guide November 2017 1 Table of Contents Table of Contents... 2 Purpose... 3 About One-Time Password Credentials... 3 How to Determine if You Need a Credential... 3 Acquisition
More informationSecurity & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of
Contents Security & Privacy Contents Web Architecture and Information Management [./] Spring 2009 INFO 190-02 (CCN 42509) Erik Wilde, UC Berkeley School of Information Abstract 1 Security Concepts Identification
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationNetwork Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System
Network Working Group T. Wu Request for Comments: 2945 Stanford University Category: Standards Track September 2000 Status of this Memo The SRP Authentication and Key Exchange System This document specifies
More information1 Installing OPI is Easy
Installing OPI is Easy 1 Installing OPI is Easy 1. Plug in the network cable to in Internet enabled port, either directly connected to the Internet or behind a router. 2. Plug connect the supplied USB
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hash functions: Generates a unique short code from a large file Uses of hashes MD5, SHA1, SHA2, SHA3 Message Authentication
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationHardware One-Time Password User Guide August 2018
Hardware One-Time Password User Guide August 2018 Copyright 2017 Exostar LLC. All rights reserved 1 Version Impacts Date Owner Hardware One-Time Password User Guide Image updates August 2018 M. Williams
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationEn#ty Authen#ca#on and Session Management
En#ty Authen#ca#on and Session Management Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat- Sheet Series, Top Ten Proac=ve Controls, OWASP Java Encoder and HTML Sani=zer Project
More informationNigori: Storing Secrets in the Cloud. Ben Laurie
Nigori: Storing Secrets in the Cloud Ben Laurie (benl@google.com) April 23, 2013 1 Introduction Secure login is something we would clearly like, but achieving it practically for the majority users turns
More informationCSC 474 Network Security. Authentication. Identification
Computer Science CSC 474 Network Security Topic 6. Authentication CSC 474 Dr. Peng Ning 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationRSA DISTRIBUTED CREDENTIAL PROTECTION
RSA DISTRIBUTED CREDENTIAL PROTECTION There is a security weakness lurking in many of today s best designed systems a primary point of compromise. Think about your own IT operations. Chances are that by
More informationSecret-in.me. A pentester design of password secret manager
Secret-in.me A pentester design of password secret manager Who am I? Security engineer Working at SCRT France! Password manager Password A string Secret Information shared by very few people You have to
More informationA Security Analysis of Honeywords. Ding Wang, Haibo Cheng, Ping Wang, Jeff Yan, Xinyi Huang
A Security Analysis of Honeywords Ding Wang, Haibo Cheng, Ping Wang, Jeff Yan, Xinyi Huang Password Password-based authentication is still ubiquitous Millions of passwords were leaked p Thousands of data
More informationContents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 SSL/TLS Security Level 5 A Note
More informationQuick Start. for Users. Online Banking
Quick Start for Users Online Banking Table of Contents Getting Started... 1 Multifactor Authentication.... 2 Log In.... 3 Reset Your Password.... 4 Reset Your Security Question... 6 Change Your Phone Number....
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationManage Administrators and Admin Access Policies
Manage Administrators and Admin Access Policies Role-Based Access Control, on page 1 Cisco ISE Administrators, on page 1 Cisco ISE Administrator Groups, on page 3 Administrative Access to Cisco ISE, on
More informationGuidance for using the PBCCD Reporting Platform (ProcXed)
Guidance for using the PBCCD Reporting Platform (ProcXed) This guidance explains how to access and enter data on the Scottish Government s reporting platform (ProcXed) for submitting Public Bodies Climate
More informationEnhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation
Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationManaged Access Gateway One-Time Password Hardware Tokens. User Guide
Managed Access Gateway One-Time Password Hardware Tokens User Guide Version 4.0 Exostar, LLC January 2017 Table of Contents OTP HW Token User Guide Table of Contents... ii Purpose... 1 Order OTP Hardware
More informationOAuth securing the insecure
Black Hat US 2011 khash kiani khash@thinksec.com OAuth securing the insecure roadmap OAuth flow malicious sample applications mobile OAuth google app web-based OAuth facebook app insecure implementation
More informationAuthentication CS 4720 Mobile Application Development
Authentication Mobile Application Development System Security Human: social engineering attacks Physical: steal the server itself Network: treat your server like a 2 year old Operating System: the war
More informationComputer Security & Privacy
Computer Security & Privacy Melissa Winstanley (mwinst@cs.washington.edu) (based on slides by Daniel Halperin) How exploration sessions work You get 1/3 point of extra credit for each session Attendance
More informationDesigning Password-Reuse Notifications
!"#$%$&$"'()*&&"( What was that site doing with my Facebook password?!$+"',"(-.$ /0&$.11.(2"$'&$'. 34,$"(5$&$6.!"+708(9:+%01;
More informationFrequently Asked Questions (FAQ)
Your personal information and account security is important to us. This product employs a Secure Sign On process that includes layers of protection at time of product log in to mitigate risk, and thwart
More informationOutline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final
More informationResponding to an RFP/RFQ/RFI in The Global Fund Sourcing Application Supplier Instructions
Responding to an RFP/RFQ/RFI in The Global Fund Sourcing Application Supplier Instructions Version 1.1 The Global Fund 26-MAR-2018 P a g e 2 1. Contents 1. Contents... 2 2. Purpose and Scope... 3 3. Background...
More informationChapter 1 Protecting Financial Institutions from Brute-Force Attacks
Chapter 1 Protecting Financial Institutions from Brute-Force Attacks Cormac Herley and Dinei Florêncio Abstract We examine the problem of protecting online banking accounts from password brute-forcing
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication. Identification. AIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationExostar Identity Access Platform (SAM) User Guide July 2018
Exostar Identity Access Platform (SAM) User Guide July 2018 Copyright 2018 Exostar, LLC All rights reserved. 1 Version Impacts Date Owner Identity and Access Management Email Verification (Email OTP) July
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More information