CIT 380: Securing Computer Systems
|
|
- Nancy Greene
- 5 years ago
- Views:
Transcription
1 CIT 380: Securing Computer Systems Passwords CIT 380: Securing Computer Systems Slide #1
2 Topics 1. Password Systems 2. Password Cracking 3. Hashing and Salting 4. UNIX Password Systems 5. Windows Password Systems 6. Network Password Systems 7. Password Selection 8. Graphical Passwords 9. One-time Passwords Slide #2
3 Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A C generate C from A L: set of authentication functions l: A C {T,F} verify identity S: set of selection functions enable entity to create or alter A or C CIT 380: Securing Computer Systems Slide #3
4 Password System Example Authenticate with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Security problem: a threat who gains access to password file knows password for every user. CIT 380: Securing Computer Systems Slide #4
5 Password Storage Solution: We should store complementary information instead of passwords, so threat doesn t get every password by stealing one file. Idea #1: Encrypt passwords. Encrypt passwords with secret key. Store ciphertext. Problem: what if attacker finds secret key? Idea #2: Hash passwords. Store hash value of password. No Problem: hashes can t be turned back into passwords. Slide #5
6 Password System Example #2 Authenticate with 8-character alphanumeric password. System compares with stored MD5 hash of password. A = [A-Za-z0-9]{8} C = 128-bit numbers F = { MD5 } L = { MD5(a)=c } CIT 380: Securing Computer Systems Slide #6
7 Threat Models 1. Online Attacks Threat has access to login user interface. Attack is attempts to guess passwords using the normal UI (slow). 2. Offline Attacks Threat has access to hashed passwords. Attack is to guess words, hash words, then compare with hashed passwords (fast). 3. Side Channel Attacks Threat has access to account management UI. Attack by using password reset functionality. Slide #7
8 Password Leaks are Common CIT 380: Securing Computer Systems Slide #8
9 Password Cracking Get Hashed Password pw hash word = Next word from list List of potential passwords. word hash = Hash(word) word hash == pw hash False True word is pw CIT 380: Securing Computer Systems Slide #9
10 Cracking Methods 1. List of common passwords 2. List of English/foreign words 3. Permutation rules Substitute numbers/symbols for letters Change case, pluralize, reverse words, character shifts, digit/symbol prefix/postfix,joining words 4. Brute force All possible passwords CIT 380: Securing Computer Systems Slide #10
11 Parallel Cracking This $12,000 computer, dubbed Project Erebus v2.5 by creator d3ad0ne, contains eight AMD Radeon HD7970 GPU cards. Running oclhashcat, it requires just 12 hours to brute force all 8 char passwords. CIT 380: Securing Computer Systems Slide #11
12 Side Channels are Easier Web sites will you password if you answer a simple secret question: 1. What is your favorite color? 2. What is your pet s name? 3. What is your mother s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there? CIT 380: Securing Computer Systems Slide #12
13 Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) >= TG / N G is number of guess per time unit T T is number of time units in attack N is number of possible passwords CIT 380: Securing Computer Systems Slide #13
14 Calculating Minimum Password Length Password System There are 96 allowable characters in password. System allows 10 6 guesses/second. Requirement: probablility of success guess should be 0.5 over 365-day period. What should the minimum password length be? N >= TG/P N >= (365 x 24 x 60 x 60) x 10 6 / 0.5 = 6.31 x N = Σ96 i, where i ranges from 1 to length of password Σ96 i >= N = 6.31 x is true when largest i >= 8 The minimum required password length is 8. CIT 380: Securing Computer Systems Slide #14
15 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement. CIT 380: Securing Computer Systems Slide #15
16 Rainbow Tables Faster cracking by trading space for time Dictionary of passwords/hashes Contains all passwords < length n Find password by looking up hash in table Rainbow table is algorithm for reducing storage Slide #16
17 Salts Add random, public data to password to create key. Any word may be hashed in 2 n possible ways: Your password always uses same n-bit salt. Someone else with same password a probably has different salt, and thus different c = f(a). Multiplies size of rainbow table by 2 n. Doesn t significantly slow down other cracking techniques. Classic UNIX crypt hashes had a 12-bit salt: Number of possible keys increased to 2 66 Rainbow table needs to be 4096 times bigger due to salt.
18 Password Storage and Use CIT 380: Securing Computer Systems Slide #18
19 UNIX Passwords Classic Format: Up to 8 ASCII characters A contains 6.9 x possible passwords. C contains crypt hashes with 12-bit salts, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings. Hashes stored publicly in /etc/passwd. Modern Format A is unlimited, as there is no maximum length. C contains 512-bit hash values bit salt. Hashes stored in /etc/shadow. Slide #19
20 /etc/{passwd,shadow} Central files describing local UNIX user accounts. /etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days til change allowed. Days `til change required. Expiration warning time. Expiration date. student:x:1000:1000:example User,, ,:/home/student:/bin/bash student:$1$w/uuktlf$otssvxtsn/xjzuogfelnz0:13226:0:99999:7::: Slide #20
21 Modern Storage: Iterated Hash + Salt Password security basics Hashes prevent direct access to cleartext passwords. Salts make rainbow tables too expensive to use. How can we make cracking too expensive? Soln: make hashing slower by Use slower hash algorithms. Run the hash function multiple times, passing output of one iteration as input to next. Slide #21
22 Modern Hashing Schemes SHA512crypt (Linux, Mac OS X) Unlimited password length iterations of SHA-512 hash function. 16 character salt. Bcrypt (OpenBSD, 55 chars, 128-bit salt) Based on modified (slower) Blowfish encryption algorithm. Configurable iteration count for hashing. Increases cost of guessing on a per-account basis. PBKDF2 (Password-Based Key Derivation Function 2) (.NET) Scrypt Framework with configurable hash, iterations, salt. Sequential, memory-hard hashing algorithm. Defense against specialized hardware (GPUs, ASICs, FPGAs) Slide #22
23 Windows Passwords Storage %systemroot%\system32\config\sam locked while OS running so other programs can t open. Retrieval Boot system with Ophcrack or Kon-boot USB. Tool will copy SAM to USB drive for cracking. Format Classic: LAN Manager (LM) Hash Modern: NTLM (MD4) Hash Many systems use both for backwards compatibility. CIT 380: Securing Computer Systems Slide #23
24 Windows LM Hash Algorithm 1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value. CIT 380: Securing Computer Systems Slide #24
25 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt Number of possible passwords much smaller than DES space. No salt is used. CIT 380: Securing Computer Systems Slide #25
26 NTLM Passwords NTLM is a replacement for LM hashes. LM authentication disabled by default as of Windows Server 2008 (and Vista on desktop.) NTLM Hash Algorithm Convert password to Unicode. Hash with MD4 Algorithm. NTLM Security Problems No salt. Passwords cached on client. Pass-the-hash vulnerabilities.
27 Kerberos Kerberos is a challenge/response protocol Passwords are never sent over network. Passwords are never stored on client. Users authenticate via tickets, not passwords or hashes. Open standard based on symmetric cryptography Created by MIT for internal use. Open source and commercial versions exist. Microsoft Active Directory = Kerberos + LDAP. Password storage Multiple allowed hashing techniques. CIT 380: Securing Computer Systems Slide #27
28 Password Selection 1. Random Selection 2. Pronounceable Passwords 3. User Selection CIT 380: Securing Computer Systems Slide #28
29 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking. Random passwords aren t easy to remember Short term memory holds 7 +/- 2 items People have multiple passwords Principle of Psychological Acceptability Requires a secure PRNG to be effective. CIT 380: Securing Computer Systems Slide #29
30 Random Selection (Bad)Example PDP-11 password generator 16-bit machine 8 upper-case letters and digits P = 36 8 = 2.8 x At sec/encryption, 140 years to brute force PRNG had period of Only 65,535 possible passwords Requires 102 seconds to try all passwords CIT 380: Securing Computer Systems Slide #30
31 Pronounceable Passwords Generate passwords from random phonemes instead of random characters. People can remember password as sequence of audible phonemes instead of characters, allowing easy recall of longer passwords. Fewer pronounceable passwords exist than random passwords. CIT 380: Securing Computer Systems Slide #31
32 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1. Based on account, user, or host names 2. Dictionary words 3. Permuted dictionary words 4. Patterns from keyboard 5. Shorter than 6 characters 6. Digits, lowercase, or uppercase only passwords 7. License plates or acronyms 8. Based on previously used passwords CIT 380: Securing Computer Systems Slide #32
33 Human Randomness? CIT 380: Securing Computer Systems Slide #33
34 Bad Passwords CIT 380: Securing Computer Systems Slide #34
35 How to Select Good Passwords 1. Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2. Themes: 1. Word combinations: 3 blind katz 2. or URL: yoda@strong-this-password-is.net 3. Phone number: (888) 888-eight eight 4. Bracketing: Starfleet -> *!-Starfleet-!* 5. Add a word: shopping -> Goin shopping 6. Repetition: Pirate--PirateShip 7. Letter swapping: Sour Grape -> Gour Srape CIT 380: Securing Computer Systems Slide #35
36 Miseducating Users? CIT 380: Securing Computer Systems
37 Online Password Attacks If complements (hashes) not accessible, attacker must use authentication functions to do an online attack. You can t stop threats from trying to login. To increase difficulty of online attacks: Backoff: add wait time before asking for username and password again, increasing with each login failure. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Slide #37
38 Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story. CIT 380: Securing Computer Systems Slide #38
39 Password Reuse
40 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time. CIT 380: Securing Computer Systems Slide #40
41 One-Time Passwords A password that s invalidated once used. Challenge: number of auth attempt Response: one-time password Problems Generation of one-time passwords Use hash or crytographic function Synchronization of the user and the system Number or timestamp passwords CIT 380: Securing Computer Systems Slide #41
42 Key Points 1. Password threat models: 1. Online: use regular login form. 2. Offline: obtain and crack password hashes. 3. Side-Channel: bypass using account management functions like password reset. 2. Stored passwords secured vs. offline attacks by Hashing (possibly with multiple iterations) Salting 3. Cracking techniques Brute-force (try every possible password) Dictionary based Rule based Rainbow tables Slide #42
43 Key Points 4. Designing a password policy P(T) >= TG / N 1. Password complexity (length, character set) 2. Password aging (how often to change) 5. Selecting passwords 1. Random selection 2. Human selection 6. One-time passwords offer greater security. 1. Since passwords can t be reused, it does not matter if an attacker obtains a previously used password. Slide #43
44 References 1. Ross Anderson, Security Engineering, 2 nd edition, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O Reilly, Dan Goodin, Why passwords have never been weaker and crackers have never been stronger, Ars Technica, Goodrich and Tammasia, Introduction to Computer Security, Pearson, Cynthia Kuo et. al., Human Selection of Mnemonic Phrase-based Passwords, SOUPS 2006, Solar Designer, Password hashing at scale, YaC 2012, Hashing-At-Scale/, 2012.
Topics. Authentication System. Passwords
Passwords Topics 1. Password Systems 2. Password Attacks 3. Mitigating Attacks 4. Graphical passwords 5. One-time passwords Authentication System A: set of authentication information information used by
More informationAuthentication and Passwords. CSC 482/582: Computer Security
Authentication and Passwords Authentication 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication 7. Password Threat Models and Attacks 8. Storing
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationPassword cracking. IN Ethical Hacking. Bruvoll & Sørby. Department of Informatics 1 / 46
Password cracking IN5290 - Ethical Hacking Bruvoll & Sørby Department of Informatics 2018 1 / 46 Agenda About passwords Cracking passwords 2 / 46 About passwords 3 / 46 Passwords as authentication Providing
More informationCIT 480: Securing Computer Systems. Authentication
CIT 480: Securing Computer Systems Authentication Topics 1. Digital Identity and Groups 2. Authentication 3. Formal Definition 4. Authentication Types 5. Tokens 6. Biometrics 7. UNIX Authentication Digital
More informationPASSWORDS & ENCRYPTION
PASSWORDS & ENCRYPTION Villanova University Department of Computing Sciences D. Justin Price Fall 2014 CRYPTOGRAPHY Hiding the meaning of a message from unintended recipients. Open source algorithms are
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 2 Password Authentication Roadmap Password Authentication
More informationHands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationHands-On Network Security: Practical Tools & Methods
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationFrontline Information Protection
Frontline Information Protection a presentation to the Phoenix Chapter of ISACA by Hoyt L Kesterson II October 2014 OBSERVATION Most successful attacks spring from weakly-coded web pages or compromised
More informationCNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM Password Management Password Alternatives
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 8 Feb 24, 2015 Authentication, Identity 1 Objectives Understand/explain the issues related to, and utilize
More informationAuthentication. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Authentication Murat Kantarcioglu Authentication Overview Basics Passwords Challenge-Response Biometrics Location Multiple Methods Basics
More informationCIT 380: Securing Computer Systems
Authentication Slide #1 Topics 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication Slide #2 What is Identity? Computer s representation of an entity
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 7 Application Password Crackers
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 7 Application Password Crackers Objectives After completing this chapter, you should be
More informationWorksheet - Reading Guide for Keys and Passwords
Unit 2 Lesson 15 Name(s) Period Date Worksheet - Reading Guide for Keys and Passwords Background Algorithms vs. Keys. An algorithm is how to execute the encryption and decryption and key is the secret
More informationPasswords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014
Passwords CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Unix Passwords In Unix, users are identified by user names Authenticated by passwords Therefore to login as
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationn Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems
Outline n Describe the CEH hacking methodology and system hacking steps n Describe methods used to gain access to systems n Describe methods used to escalate privileges Chapter #5: n Describe methods used
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationWindows authentication methods and pitfalls
Windows authentication methods and pitfalls hashes and protocols vulnerabilities attacks 1996-2013 - P. Veríssimo All rights reserved. Reproduction only by permission 1 EXAMPLE: Windows authentication
More informationPassword retrieval. Mag. iur. Dr. techn. Michael Sonntag
Mag. iur. Dr. techn. Michael Sonntag Password retrieval E-Mail: sonntag@fim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm Institute for Information Processing and Microprocessor Technology
More informationGoals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack
Last Updated: Nov 7, 2017 Goals Understand UNIX pw system How it works How to attack Understand Lamport s hash and its vulnerabilities History of UNIX passwords Originally the actual passwords were stored
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationAuthentication and passwords
Authentication and passwords Passwords The Key Idea Prover sends a password to a Verifier. The channel must be private If an attacker obtains a user s password, he can authenticate as her. Passwords must
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown User Authentication fundamental security building
More informationPYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER
PYTHIA SERVICE WHITEPAPER BY VIRGIL SECURITY WHITE PAPER May 21, 2018 CONTENTS Introduction 2 How does Pythia solve these problems? 3 Are there any other solutions? 4 What is Pythia? 4 How does it work?
More information5/13/2015 2:54 PM. All your passwords are belong to us. Authorities dig through prescription med databases thanks to pre-digital age precedent.
All your passwords are belong to us. by Dan Goodin - Dec 9, 2012 4:00pm PST Authorities dig through prescription med databases thanks to pre-digital age precedent. Welcome to Radeon City, population: 8.
More informationCIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies
CIT 470: Advanced Network and System Administration Accounts and Namespaces CIT 470: Advanced Network and System Administration Slide #1 Topics 1. Namespaces 2. Policies 1. selection 2. lifetime 3. scope
More informationBTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security
BTEC Level 3 Unit 32 Network System Security Password Authentication and Protection Passwords Why are they important? Passwords are cheap to deploy, but also act as the first line of defense in a security
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationAuthentication System
A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication
More informationID protocols. Overview. Dan Boneh
ID protocols Overview The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applications: physical world Physical locks: (friend-or-foe) Wireless
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationChapter 3: Hashing. Prof Bill Buchanan OBE
Chapter 3: Hashing Hashing Types. Hashing Methods. Salting. Collisions. LM and NTLM Hashes (Windows). Hash Benchmarks. Message Authentication Codes (MACs). OTP/HOTP. Prof Bill Buchanan OBE http://asecuritysite.com/crypto03
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationT H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Authentication What is Authentication? Real-world and computer world examples? What is a result of authentication? What are the means for in
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography Objectives Define cryptography Describe hashing List the basic symmetric cryptographic algorithms 2 Objectives
More informationMANAGING LOCAL AUTHENTICATION IN WINDOWS
MANAGING LOCAL AUTHENTICATION IN WINDOWS Credentials Manager Windows OS has a set of tools that help remedy some of the authentication challenges. For example, the Credential Manager in Windows 7 and newer
More informationCYB 610 Project 1 Workspace Exercise
CYB 610 Project 1 Workspace Exercise I. Project Overview Your deliverables for Project 1 are described below. You will submit your work at the end of Step 6 of Project 1 in your ELM classroom. 1. Non-Technical
More informationAuthentication. Administrative VM login credentials. September 8, CentOS-6.4 root
Authentication September 8, 2017 Administrative VM login credentials CentOS-6.4 student/c$l@blinux root /c$l@blinux ( mnemonic: compter science lab linux ) Centos 4.3 min-gdb root/password Kali Linux root/c$l@blinux
More informationT H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Authentication EECE 412 Copyright 2004-2007 Konstantin Beznosov What is Authentication? Real-world and computer world examples? What is a result
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationMnemonic Password Algorithms
Mnemonic Password Algorithms Remembering Secure Passwords I)ruid What is a Mnemonic Password Algorithm? An MPA, or Mnemonic Password Algorithm, is a mental mapping of known elements
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationIntroduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 09 Now, we discuss about the insecurity of passwords.
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationAuthentication. Steven M. Bellovin January 31,
Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to do Identification is whom you claim to be be Authentication
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Radu Sion Passwords 2005-12 portions Matt Bishop Authentication Basics Passwords Storage Selection Breaking them Other methods Multiple methods Systems Security
More informationSingle Sign-On Showdown
Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013
More informationCryptographic Hash Functions. Secure Software Systems
1 Cryptographic Hash Functions 2 Cryptographic Hash Functions Input: Message of arbitrary size Output: Digest (hashed output) of fixed size Loreum ipsum Hash Function 23sdfw83x8mjyacd6 (message of arbitrary
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationscrypt: A new key derivation function
Doing our best to thwart TLAs armed with ASICs Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Making bcrypt obsolete Colin Percival Tarsnap cperciva@tarsnap.com May 9, 2009 Are you sure your SSH
More informationCopyright
This video will look at configuring the default password policy in Active Directory. These setting determines setting like how long a user password will be, if the password needs to complex, and how many
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (3 rd Week) 3. User Authentication 3.Outline Electronic User Authentication Principles Password-Based Authentication Token-Based Authentication Biometric
More informationSecrets of the edu-id Password
Secrets of the edu-id Password Lukas Hämmerle lukas.haemmerle@switch.ch Trust & Identity WG Meeting 14. March 2018, Bern 2018 SWITCH 1 Setting a Good Password System: "Sorry, your password is too old and
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationEffective Password Hashing
Effective Password Hashing November 18th, 2015 Colin Keigher colin@keigher.ca ~ @afreak ~ https://afreak.ca ~ https://canary.pw Who am I? I am a Senior Security Analyst at a large Canadian company Actively
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 13 Announcements Talk today: 3:00 Wu & Chen Auditorium Boon Thau Loo "Declarative Networking: Extensible Networks with Declarative Queries"
More informationCryptography for Software and Web Developers
Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno Böck 2014-05-28 1 / 13 Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness In security
More informationAuthentication. Tadayoshi Kohno
CSE 484 / CSE M 584 (Winter 2013) Authentication Tadayoshi Kohno Thanks to Vitaly Shmatikov, Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Bennet Yee, and many others for sample
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationMaximizing the speed of time based SQL injection data retrieval
Maximizing the speed of time based SQL injection data retrieval 30c3, Hamburg, 29.12.2013 Arnim' ; DROP TABLE students;-- ) Introduction SQL injection SQLi is #1 of OWASP Top 10 Web vulnerabilities Sample
More informationL7: Authentication. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Authentication Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 10/7/2016 CSCI 451 -Fall 2016 1 Acknowledgement Revised based on slides are from
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hash functions: Generates a unique short code from a large file Uses of hashes MD5, SHA1, SHA2, SHA3 Message Authentication
More informationEnhancing Salted Password Hashing Technique Using Swapping Elements in an Array Algorithm
IJCST Vo l. 9, Is s u e 1, Ja n - Ma r c h 2018 ISSN : 0976-8491 (Online) ISSN : 2229-4333 (Print) Enhancing Salted Password Hashing Technique Using Swapping Elements in an Array Algorithm 1 Dr. Abdelrahman
More informationLecture 9 User Authentication
Lecture 9 User Authentication RFC 4949 RFC 4949 defines user authentication as: The process of verifying an identity claimed by or for a system entity. Authentication Process Fundamental building block
More informationLecture 4: Hashes and Message Digests,
T-79.159 Cryptography and Data Security Lecture 4: Hashes and Message Digests Helsinki University of Technology mjos@tcs.hut.fi 1 Cryptographic hash functions Maps a message M (a bit string of arbitrary
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationAuthentication. Steven M. Bellovin September 26,
Authentication Steven M. Bellovin September 26, 2009 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationProcesses are subjects.
Identification and Authentication Access Control Other security related things: Devices, mounting filesystems Search path Race conditions NOTE: filenames may differ between OS/distributions Principals
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationAuthentication. Amit Konar Math and Computer Sc., UMSL
Authentication Amit Konar Math and Computer Sc., UMSL What is Authentication? Authentication is the binding of an identity to a subject. Subjects act on behalf of some other, external entity. The identity
More informationLecture 3 - Passwords and Authentication
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 What is authentication? Reliably verifying
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationCNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management
CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management Authentication Methods Authentication Methods Type 1: Something you know Easiest and weakest method
More informationComputer Security (EDA263 / DIT 641)
Computer Security (EDA263 / DIT 641) Lecture 4: Passwords Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Sweden Bad passwords Names (own, wife, child, dog,
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More information