Topics. Authentication System. Passwords
|
|
- Kory Lindsey
- 6 years ago
- Views:
Transcription
1 Passwords Topics 1. Password Systems 2. Password Attacks 3. Mitigating Attacks 4. Graphical passwords 5. One-time passwords Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A C generate C from A L: set of authentication functions l: A C {T,F} verify identity S: set of selection functions enable entity to create or alter A or C 1
2 Password System Example User authenticates with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Not a system that anyone should actually use. Passwords What you know Sequence of characters Complementation Function Identity: requires access control to protect C One-way Hash easy to compute c = f(a) difficult to compute a = f -1 (c) Classic UNIX Passwords Format: Up to 8 ASCII characters A contains 6.9 x possible passwords C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings Storage /etc/passwd (0644) was traditionally used /etc/shadow (0600) in modern systems 2
3 Attacks on Password Systems 1. Offline password cracking 2. Online dictionary attacks 3. Observe passwords 4. Attacking password infrastructure Offline Password Cracking Get Hashed Password pw hash word = Next word from list List of potential passwords. word hash = Hash(word) word hash == pw hash False True word is pw Cracking Methods 1. List of common passwords 2. List of English/foreign words 3. Permutation rules Substitute numbers/symbols for letters Change case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining words 4. Brute force All possible passwords 3
4 Online Password Guessing Use application s login interface Much slower than offline attack, but Always possible to do. Two types of attack Guess passwords for a specific known user account Know that it s a valid account Use information about user (name, bday) to guess Guess usernames and guess passwords for all accounts Don t know if account is valid Failures may be due to invalid username or password Someone probably has an easy to guess password Observe Passwords Sniff passwords off network Must be able to access a network node in path between source and destination of communication Impossible if connection is encrypted Find passwords in a file or database Identify files/databases that likely to contain passwords May or may not be encrypted Shoulder surf Watch for someone to type a password Desk search Passwords may be written down near workspace Attacking Password Infrastructure Web sites will you password if you answer a simple secret question: 1. What is your favorite color? 2. What is your pet s name? 3. What is your mother s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there? 4
5 Mitigating Password Attacks 1. Enable system to use long passwords with a large alphabet of possible characters 2. Hash passwords to protect against file attacks 3. Salt passwords to protect against offline cracking 4. Select hard to guess passwords 5. Mitigating online attacks with backoff and lockout 6. Protect password management functions 7. Password aging 8. One-time passwords Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) TG / N G is number of guess per time unit T T is number of time units in attack N is number of possible passwords Calculating Minimum Password Length Password System There are 96 allowable characters in password. System allows 10 6 guesses/second. Requirement: probablility of success guess should be 0.5 over 365-day period. What should the minimum password length be? N >= TG/P N >= (365 x 24 x 60 x 60) x 10 6 / 0.5 = 6.31 x N = 96 i, where i ranges from 1 to length of password 96 i >= N = 6.31 x is true when largest i >= 8 The minimum required password length is 8. 5
6 UNIX Password Hashing crypt() function used for hashing DES encrypts 64-bit block of 0s (25 rounds) using your password for the key. Modified DES incompatible with DES hardware cracking tools. Limited to 8 characters or less. If limited to 95 printable characters, only 2 53 possible passwords. How to resist dictionary attacks? Salting Salting Adds a 2-character (12-bit) random, public data to password to create key. Any word may be encrypted in 4096 possible ways (i.e., there are 4096 f F). Your password always uses same salt. Someone else with same password (a) probably has different salt, and thus different c = f(a). Number of possible keys increased to 2 66 Too small for today; modern UNIX doesn t use crypt. Salting (cont.) Prevents pre-calculated dictionary attack 2 66 passwords requires millions of terabytes crypt() 2 18 passwords/second Brute force would require 8000 machines for 48 days. 6
7 Modern UNIX Passwords Format: long ASCII string Hashing techniques: MD5 (unlimited length, bit salt) SHA1 (unlimited length, bit salt) Bcrypt (55 chars, 128-bit salt, adjustable cost) Windows 2000/XP Passwords Storage %systemroot%\system32\config\sam locked while NT running %systemroot%\repair\sam_ backup file may be accessible via remote registry calls Format LAN Manager (LM) Hash NT (MD4) Hash Windows LM Hash Algorithm 1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value. 7
8 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt Number of possible passwords much smaller than DES space. No salt is used. Windows NT Hash Converts to Unicode, MD4 hashes result Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility. No salt: identical passwords generate identical hashes. Password Selection 1. Random Selection 2. Pronounceable Passwords 3. User Selection 8
9 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking What about short passwords? Random passwords aren t easy to remember Short term memory holds 7 +/- 2 items People have multiple passwords Principle of Psychological Acceptability Requires a good PRNG Random Selection (Bad)Example PDP-11 password generator 16-bit machine 8 upper-case letters and digits P = 36 8 = 2.8 x At sec/encryption, 140 years to brute force PRNG had period of Only 65,535 possible passwords Requires 102 seconds to try all passwords Pronounceable Passwords Generate passwords from random phonemes instead of random characters. People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords. Fewer pronounceable passwords exist than random passwords. 9
10 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1. Based on account, user, or host names 2. Dictionary words 3. Permuted dictionary words 4. Patterns from keyboard 5. Shorter than 6 characters 6. Digits, lowercase, or uppercase only passwords 7. License plates or acronyms 8. Based on previously used passwords Human Randomness? Most Common Passwords 10
11 How to Select Good Passwords 1. Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2. Themes: 1. Word combinations: 3 blind katz 2. or URL: yoda@strong-this-password-is.net 3. Phone number: (888) 888-eight eight 4. Bracketing: Starfleet -> *!-Starfleet-!* 5. Add a word: shopping -> Goin shopping 6. Repetition: Pirate--PirateShip 7. Letter swapping: Sour Grape -> Gour Srape Mitigating Online Attacks If complements not accessible, attacker cannot use offline attacks and must use authentication functions. Cannot be prevented. Increase difficulty of auth function attack: Backoff: increasing wait before reprompting. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker. Protecting Password Management Always send password to a predetermined location Do not let user change /phone when requesting a password reset or change. Always notify the user of a password change User can be alerted in case an attacker has changed the password. Let user create questions and answers Don t provide a list of pre-determined questions. 11
12 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement. Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story. Password Reuse 12
13 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time. One-Time Passwords A password that s invalidated once used. Challenge: number of auth attempt Response: one-time password Problems Generation of one-time passwords Use hash or crytographic function Synchronization of the user and the system Number or timestamp passwords S/Key One-time password system based on a hash function h (MD4 or MD5). User initializes with random seed k. Key generator calculates: h(k) = k 1, h(k 1 ) = k 2,, h(k n-1 ) = k n Passwords, in order used, are p 1 = k n, p 2 = k n-1,, p n-1 = k 2, p n = k 1 13
14 S/Key Attacker cannot derive p i+1 from p i since p i = k n-i+1, p i+1 = k n-i, and h(k n-i ) = k n-i+1 which would require inverting h. Once user has used all passwords, S/Key must be reinitialized with a new seed. S/Key Login 1. User supplies account name to server 2. Server replies with number i stored in skeykeys file 3. User supplies corresponding password p i 4. Server computes h(p i ) = h(k n-i+1 ) = k n-i+2 = p i-1 and compares result with stored password. If match, user is authenticated and S/Key updates number in skeykeys file to i-1 and stores p i S/Key Login FreeBSD/i386 (example.com) (ttypa) login: <username> s/key 97 fw13894 Password: Use S/Key calculator on local system to calculate response: % key 97 fw13894 Enter secret password: WELD LIP ACTS ENDS ME HAAG 14
15 Other One Time Password Systems Software: OPIE Backwards compatible with S/Key (if same hash used). Hardware: RSA SecurID card Displayed password changes every 60sec. Password = constant password + SecurID Key Points Passwords can be attacked by Offline cracking Online guessing Observation Attacking password management functions Stored passwords are secured via Hashing (crypt, MD5, SHA1, bcrypt) Salting Good passwords need to be Complex Unique Secret Changed on a regular basis One-time passwords offer greater security. References 1. Ross Anderson, Security Engineering, Wiley, Matt Bishop, Introduction to Computer Security, Addison- Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranorand Simson Garfinkel, Security and Usability, O Reilly, Daswani, Foundations of Security, APress, Cynthia Kuo et. al., Human Selection of Mnemonic Phrasebased Passwords, SOUPS 2006, Neils Provosand David Mazieres, A Future-Adaptable Password Scheme, Ed Skoudis, Counter Hack Reloaded, Prentice Hall, Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O Reilly,
CIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Passwords CIT 380: Securing Computer Systems Slide #1 Topics 1. Password Systems 2. Password Cracking 3. Hashing and Salting 4. UNIX Password Systems 5. Windows Password
More informationAuthentication and Passwords. CSC 482/582: Computer Security
Authentication and Passwords Authentication 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication 7. Password Threat Models and Attacks 8. Storing
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 8 Feb 24, 2015 Authentication, Identity 1 Objectives Understand/explain the issues related to, and utilize
More informationGoals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack
Last Updated: Nov 7, 2017 Goals Understand UNIX pw system How it works How to attack Understand Lamport s hash and its vulnerabilities History of UNIX passwords Originally the actual passwords were stored
More informationAuthentication. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Authentication Murat Kantarcioglu Authentication Overview Basics Passwords Challenge-Response Biometrics Location Multiple Methods Basics
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 2 Password Authentication Roadmap Password Authentication
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Radu Sion Passwords 2005-12 portions Matt Bishop Authentication Basics Passwords Storage Selection Breaking them Other methods Multiple methods Systems Security
More informationHands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationHands-On Network Security: Practical Tools & Methods
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationUser Authentication. E.g., How can I tell you re you?
User Authentication E.g., How can I tell you re you? 1 The Basics Unlike real world authentication (e.g., you recognize someone s voice over the phone) computer can t recognize someone (well, not in the
More informationWorksheet - Reading Guide for Keys and Passwords
Unit 2 Lesson 15 Name(s) Period Date Worksheet - Reading Guide for Keys and Passwords Background Algorithms vs. Keys. An algorithm is how to execute the encryption and decryption and key is the secret
More informationBTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security
BTEC Level 3 Unit 32 Network System Security Password Authentication and Protection Passwords Why are they important? Passwords are cheap to deploy, but also act as the first line of defense in a security
More informationMANAGING LOCAL AUTHENTICATION IN WINDOWS
MANAGING LOCAL AUTHENTICATION IN WINDOWS Credentials Manager Windows OS has a set of tools that help remedy some of the authentication challenges. For example, the Credential Manager in Windows 7 and newer
More informationPassword cracking. IN Ethical Hacking. Bruvoll & Sørby. Department of Informatics 1 / 46
Password cracking IN5290 - Ethical Hacking Bruvoll & Sørby Department of Informatics 2018 1 / 46 Agenda About passwords Cracking passwords 2 / 46 About passwords 3 / 46 Passwords as authentication Providing
More informationMnemonic Password Algorithms
Mnemonic Password Algorithms Remembering Secure Passwords I)ruid What is a Mnemonic Password Algorithm? An MPA, or Mnemonic Password Algorithm, is a mental mapping of known elements
More informationPasswords. EJ Jung. slide 1
Passwords EJ Jung slide 1 Basic Problem? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 2 Many Ways to Prove Who You Are What
More informationCIT 480: Securing Computer Systems. Authentication
CIT 480: Securing Computer Systems Authentication Topics 1. Digital Identity and Groups 2. Authentication 3. Formal Definition 4. Authentication Types 5. Tokens 6. Biometrics 7. UNIX Authentication Digital
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hash functions: Generates a unique short code from a large file Uses of hashes MD5, SHA1, SHA2, SHA3 Message Authentication
More informationT H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Authentication EECE 412 Copyright 2004-2007 Konstantin Beznosov What is Authentication? Real-world and computer world examples? What is a result
More informationComputer Security (EDA263 / DIT 641)
Computer Security (EDA263 / DIT 641) Lecture 4: Passwords Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Sweden Bad passwords Names (own, wife, child, dog,
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationPasswords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014
Passwords CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Unix Passwords In Unix, users are identified by user names Authenticated by passwords Therefore to login as
More informationAuthentication and passwords
Authentication and passwords Passwords The Key Idea Prover sends a password to a Verifier. The channel must be private If an attacker obtains a user s password, he can authenticate as her. Passwords must
More informationUser Authentication and Passwords
User Authentication and : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 Y12S2L11, Steve/Courses/2012/s2/css322/lectures/passwords.tex,
More informationID protocols. Overview. Dan Boneh
ID protocols Overview The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applications: physical world Physical locks: (friend-or-foe) Wireless
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationLecture 3 - Passwords and Authentication
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 What is authentication? Reliably verifying
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationPASSWORDS & ENCRYPTION
PASSWORDS & ENCRYPTION Villanova University Department of Computing Sciences D. Justin Price Fall 2014 CRYPTOGRAPHY Hiding the meaning of a message from unintended recipients. Open source algorithms are
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Tunneling and VPNs CIT 480: Securing Computer Systems Slide #1 Topics 1. Tunneling 1. Encapsulation 2. Security 3. SSH 2. Virtual Private Networks 1. Site-to-site 2.
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationAuthentication. Amit Konar Math and Computer Sc., UMSL
Authentication Amit Konar Math and Computer Sc., UMSL What is Authentication? Authentication is the binding of an identity to a subject. Subjects act on behalf of some other, external entity. The identity
More informationCNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM Password Management Password Alternatives
More informationAuthentication KAMI VANIEA 1
Authentication KAMI VANIEA FEBRUARY 1ST KAMI VANIEA 1 First, the news KAMI VANIEA 2 Today Basics of authentication Something you know passwords Something you have Something you are KAMI VANIEA 3 Most recommended
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown User Authentication fundamental security building
More informationFrontline Information Protection
Frontline Information Protection a presentation to the Phoenix Chapter of ISACA by Hoyt L Kesterson II October 2014 OBSERVATION Most successful attacks spring from weakly-coded web pages or compromised
More informationT H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Authentication What is Authentication? Real-world and computer world examples? What is a result of authentication? What are the means for in
More informationPasswords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.
Passwords CS 166: Introduction to Computer Systems Security 1 Source: https://shop.spectator.co.uk/wp-content/uploads/2015/03/open-sesame.jpg 2 Password Authentication 3 What Do These Passwords Have in
More informationAuthentication. Tadayoshi Kohno
CSE 484 / CSE M 584 (Winter 2013) Authentication Tadayoshi Kohno Thanks to Vitaly Shmatikov, Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Bennet Yee, and many others for sample
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 9: Authentication Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Definition of entity authentication Solutions password-based
More informationCIT 380: Securing Computer Systems
Authentication Slide #1 Topics 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication Slide #2 What is Identity? Computer s representation of an entity
More informationCS61A Lecture #39: Cryptography
Announcements: CS61A Lecture #39: Cryptography Homework 13 is up: due Monday. Homework 14 will be judging the contest. HKN surveys on Friday: 7.5 bonus points for filling out their survey on Friday (yes,
More informationAuthentication Objectives People Authentication I
Authentication Objectives People Authentication I Dr. Shlomo Kipnis December 15, 2003 User identification (name, id, etc.) User validation (proof of identity) Resource identification (name, address, etc.)
More informationPYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER
PYTHIA SERVICE WHITEPAPER BY VIRGIL SECURITY WHITE PAPER May 21, 2018 CONTENTS Introduction 2 How does Pythia solve these problems? 3 Are there any other solutions? 4 What is Pythia? 4 How does it work?
More informationL7: Authentication. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Authentication Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 10/7/2016 CSCI 451 -Fall 2016 1 Acknowledgement Revised based on slides are from
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationTABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure
TABLE OF CONTENTS 1.0 General Statement... 3 2.0 Purpose... 3 3.0 Scope... 3 4.0 Procedure... 3 4.1 General... 3 4.2 Requirements... 4 4.3 Guidelines... 4 5.0 Failure to comply... 6 2 1.0 GENERAL STATEMENT
More informationUser Authentication. Daniel Halperin Tadayoshi Kohno
CSE 484 / CSE M 584 (Autumn 2011) User Authentication Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationPassword retrieval. Mag. iur. Dr. techn. Michael Sonntag
Mag. iur. Dr. techn. Michael Sonntag Password retrieval E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information Processing and Microprocessor Technology
More informationAuthentication, Passwords. Robert H. Sloan
Authentication, Passwords Robert H. Sloan authenticate verb [ trans. ] prove or show (something) to be true or genuine : they were invited to authenticate artifacts from the Italian Renaissance. [ intrans.
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationCSC 474 Network Security. Authentication. Identification
Computer Science CSC 474 Network Security Topic 6. Authentication CSC 474 Dr. Peng Ning 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationTennessee Technological University Policy No Password Management
Tennessee Technological University Policy No. 852 Password Management Effective Date: January 1, 2014 Policy No: 852 Policy Name: Password Management Policy Policy Subject: Password Management Date Revised:
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationWindows authentication methods and pitfalls
Windows authentication methods and pitfalls hashes and protocols vulnerabilities attacks 1996-2013 - P. Veríssimo All rights reserved. Reproduction only by permission 1 EXAMPLE: Windows authentication
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 13 Announcements Talk today: 3:00 Wu & Chen Auditorium Boon Thau Loo "Declarative Networking: Extensible Networks with Declarative Queries"
More informationAIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.
AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE Microsoft Windows Security www.uscyberpatriot.org AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationPASSWORD POLICIES: RECENT DEVELOPMENTS AND POSSIBLE APPRAISE
PASSWORD POLICIES: RECENT DEVELOPMENTS AND POSSIBLE APPRAISE Hazel Murray Department of Mathematics and Statistics/ Hamilton Institute, Maynooth University, Ireland David Malone Department of Mathematics
More informationCryptography for Software and Web Developers
Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno Böck 2014-05-28 1 / 13 Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness In security
More informationNETWORK SECURITY - OVERCOME PASSWORD HACKING THROUGH GRAPHICAL PASSWORD AUTHENTICATION
NETWORK SECURITY - OVERCOME PASSWORD HACKING THROUGH GRAPHICAL PASSWORD AUTHENTICATION P.Kiruthika R.Tamilarasi Department of Computer Applications, Dr.Mahalingam College Of Engineering and Technology,
More informationNetwork Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System
Network Working Group T. Wu Request for Comments: 2945 Stanford University Category: Standards Track September 2000 Status of this Memo The SRP Authentication and Key Exchange System This document specifies
More informationLecture 4: Hashes and Message Digests,
T-79.159 Cryptography and Data Security Lecture 4: Hashes and Message Digests Helsinki University of Technology mjos@tcs.hut.fi 1 Cryptographic hash functions Maps a message M (a bit string of arbitrary
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More informationMaximizing the speed of time based SQL injection data retrieval
Maximizing the speed of time based SQL injection data retrieval 30c3, Hamburg, 29.12.2013 Arnim' ; DROP TABLE students;-- ) Introduction SQL injection SQLi is #1 of OWASP Top 10 Web vulnerabilities Sample
More informationMicrosoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]
s@lm@n Microsoft Exam 98-367 Security fundamentals Version: 9.0 [ Total Questions: 123 ] Question No : 1 The Active Directory controls, enforces, and assigns security policies and access rights for all
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationSecrets of the edu-id Password
Secrets of the edu-id Password Lukas Hämmerle lukas.haemmerle@switch.ch Trust & Identity WG Meeting 14. March 2018, Bern 2018 SWITCH 1 Setting a Good Password System: "Sorry, your password is too old and
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication. Identification. AIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationIntroduction to Cryptography
Introduction to Cryptography 1 2 Definition process data into unintelligible form, reversibly, without data loss typically digitally usually one-to-one in size $ compression analog cryptography: voice
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationscrypt: A new key derivation function
Doing our best to thwart TLAs armed with ASICs Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Making bcrypt obsolete Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Are you sure your SSH
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationIntroduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.
Trusted Intermediaries CSC/ECE 574 Computer and Network Security Topic 7. Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center () Representative solution:
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationInformation Security in Systems and Networks
Information Security in Systems and Networks November 30, 2006 Damira Pon University at Albany, SUNY 1 Password Protection 2 Passwords Everywhere the Eye can See 3 Passwords Basic Problem How do you prove
More informationCOMPUTER PASSWORDS POLICY
COMPUTER PASSWORDS POLICY 1.0 PURPOSE This policy describes the requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft. Passwords
More informationCS 161 Computer Security
Popa & Weaver Fall 2016 CS 161 Computer Security 10/4 Passwords 1 Passwords are widely used for authentication, especially on the web. What practices should be used to make passwords as secure as possible?
More informationCONTENTS. Professional part. Paradigm shift Virtual world real security Old rules, howto-s: good for re-thinking Passwords
CONTENTS Professional part Paradigm shift Virtual world real security Old rules, howto-s: good for re-thinking Passwords PARADIGM PARADIGM What is that, how could you describe it? PARADIGM Set of generally
More information