Authentication and Passwords. CSC 482/582: Computer Security
|
|
- Shonda May
- 5 years ago
- Views:
Transcription
1 Authentication and Passwords
2 Authentication 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication 7. Password Threat Models and Attacks 8. Storing Passwords: Hashing and Salting 9. Password Selection 10. Graphical Password Systems 11. One-time Passwords
3 What is Identity? Computer s representation of an entity Entities can be subjects or objects. Authentication binds a principal to an identity. Example: username expresses your identity. password binds the person typing to that particular identity (username).
4 Purpose of Identity Access Control Most systems base access rights on identity of principal executing the process. Accountability Logging and auditing functions. Need to track identity across account/role changes (e.g., su, sudo).
5 Groups and Roles An entity may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. static: alias for a group of principles. dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function
6 Network Identity Ethernet (MAC) Address 48-bit data link level identifier example: 00:0B:DB:78:39:8A IP Address 32-bit network level identifier ex: IPv6 Address 128-bit network level identifier ex: fe80::2a0:c9ff:fe97:153d/64 Hostname (DNS name) string application level identifier ex:
7 What is Authentication? Binding of an identity to a subject Based on: 1. What the entity knows (e.g., passwords) 2. What the entity has (e.g., access card) 3. What the entity is (e.g., fingerprints) 4. Where the entity is (e.g., local terminal) Two-factor authentication
8 Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A C generate C from A L: set of authentication functions l: A C {T,F} verify identity S: set of selection functions enable entity to create or alter A or C
9 Password System Example User authenticates with 8-character alphanumeric password. System compares against stored cleartext password. A = [A-Za-z0-9]{8} C = A F = { I } L = { = } Not a system that anyone should actually use.
10 Biometric System Example User authenticates with fingerprint. System compares w/ digital fingerprint template. A = { user fingerprints } C = { digital fingerprint templates } F = { fingerprint reader + analog->digital } L = { tunable similarity function }
11 What You Know Passwords Pass Phrases PINs
12 What You Have Smart Cards USB Token RFID RFID used for toll collection
13 RFID Radio Frequency Identification Types of Tags Passive: use power from reader signal Active: internal power source Applications Product tracking (EPC barcode replacement) Transportation payment Automotive (embedded in car keys) Passports Human implants EPC RFID Tag
14 What You Are: Biometrics Identification by human characteristics: 1. Physiological 2. Behavioral A biometric characteristic should be: 1. universal: everyone should have it 2. unique: no two people should share it 3. permanent: it should not change with time 4. quantifiable: it must be practically measurable
15 How Biometrics Work 1. User submits sample. 2. Software turns sample into digital template. 3. Software compares template against stored reference template. 4. Authentication based on how closely templates match.
16 Biometric Measurement Possible Outcomes: 1. Correct person accepted 2. Imposter rejected 3. Correct person rejected (False Rejection) 4. Imposter accepted (False Acceptance)
17 False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate
18 Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised.
19 Brandon Mayfield Fingerprints found in 2004 Madrid bombing. Brandon arrested May 6, FBI claimed 100 percent positive match. Held under a false name. Then transferred to unidentified location. Spanish police identify fingerprint as belonging to an Algerian man May 21, Brandon released May 25, 2004.
20 Eye Biometrics Iris Scan Lowest false accept/reject rates of any biometric. Person must hold head still and look into camera. Retinal Scan Cataracts and pregnancy change retina pattern. Lower false accept/reject rates than fingerprints. Intrusive and slow.
21 Other Types of Biometrics Physiological Behavioral DNA Face recognition Hand geometric Heartbeat Voice recognition Gait recognition Keyboard dynamics Mouse dynamics Signatures
22 Biometrics are not infallible What are False Accept and Reject Rates? Do the characteristics change over time? Retina changes during pregnancy. Fingerprint damage due to work/pipe smoking. Young and old people have fainter fingerprints. Is it accurate in the installed environment? Is someone observing fingerprint or voiceprint checks? i.e., did you collect biometric from the person?
23 Biometrics can be compromised. Unique identifiers, not secrets. You can change a password. You can t change your iris scan. Examples: You leave your fingerprints every place. It s easy to take a picture of your face. Other compromises. Use faux ATM-style devices to collect biometrics. Obtain all biometric templates from server.
24 Use and Misuse of Biometrics Employee identification. Employee enters login name. System uses fingerprint to verify employee is who he claims to be. Problem: Does biometric match the employee? Criminal search (Superbowl 2001) System uses face recognition to search for criminals in public places. Problem: Does any biometric in database match anyone in a crowd of people? Assume system is 99.99% accurate and 1 in 10million people is a terrorist. Result: 1000 false positives for each terrorist.
25 Location Classic: only allow access from a particular terminal or a particular set of remote hosts. Modern: GPS-based Location Signature Sensor (LSS) for host and user. Access rules permit user only to access host with specific LSS values. Cell-phones track location, and some states use them to track drivers speed and locations.
26 UNIX Authentication UNIX identifies user with a UID Username is for humans, UID for computers. 32-bit unsigned integer. UID=0 is the superuser, root. Identity and authentication data stored in /etc/passwd /etc/shadow /etc/group
27 /etc/{passwd,shadow} Central file(s) describing UNIX user accounts. /etc/passwd /etc/shadow Username Username UID Encrypted password Default GID Date of last pw change. Days til change allowed. GCOS Days `til change Home directory required. Login shell Expiration warning time. Expiration date. student:x:1000:1000:example User,, ,:/home/student:/bin/bash student:$1$w/uuktlf$otssvxtsn/xjzuogfelnz0:13226:0:99999:7:::
28 Password Storage and Use
29 Password Threat Models 1. Online Attacks Threat has access to login user interface. Attack is attempts to guess passwords using the normal UI (slow). 2. Offline Attacks Threat has access to hashed passwords. Attack is to guess words, hash words, then compare with hashed passwords (fast). 3. Side Channel Attacks Threat has access to account management UI. Attack by using password reset functionality.
30 Password Leaks are Common
31 Password Cracking Get Hashed Password pw hash word = Next word from list List of potential passwords. word hash = Hash(word) word hash == pw hash False True word is password
32 Cracking Methods 1. List of common passwords As a result of leaks, lists of millions are available. 2. List of English/foreign dictionary words 3. Permutation rules Substitute numbers/symbols for letters Change case, pluralize, reverse words, digit/symbol prefix/postfix, replace letters with symbols (a Join words from sources #1 and #2 above, with symbols or 4-digit or shorter numbers added infix or prefix or postfix. 4. Brute force All possible passwords
33 Parallel Cracking GPUs contain hundreds of small processor cores Can be used to crack some types of password hashes. Elcomsoft benchmarks Cluster of 25 Radeon GPUs. 350 billion Windows NTLM pws/sec Cluster can try every password that is <= 8 characters long in 5.5 hours.
34 Countering Password Guessing Choose A, C, and F to select suitably low probability P(T) of guessing in time T. P(T) >= TG / N G is number of guess per time unit T T is number of time units in attack N is number of possible passwords
35 Calculating Minimum Password Length Password System There are 96 allowable characters in password. System allows 10 6 guesses/second. Requirement: probablility of success guess should be 0.5 over 365-day period. What should the minimum password length be? N >= TG/P N >= (365 x 24 x 60 x 60) x 10 6 / 0.5 = 6.31 x N = Σ96 i, where i ranges from 1 to length of password Σ96 i >= N = 6.31 x is true when largest i >= 8 The minimum required password length is 8.
36 Password Aging Requirement that password be changed after a period of time or after an event has occurred If expected time to guess is 180 days, should change password more frequently than 180 days 1. If change time too short, users have difficulty recalling passwords. 2. Cannot allow users to change password to current one. 3. Also prevent users from changing passwords too soon. 4. Give notice of impending password change requirement.
37 Classic UNIX Passwords Format: Up to 8 ASCII characters A contains 6.9 x possible passwords C contains crypt hashes, strings of length 13 chosen from alphabet of 64 characters, 3.0 x strings Storage /etc/passwd (0644) was traditionally used /etc/shadow (0600) in modern systems
38 Classic UNIX Password Hashing crypt() function used for hashing DES encrypts 64-bit block of 0s (25 rounds) using your password for the key. Modified DES incompatible with DES hardware cracking tools. Limited to 8 characters or less. If limited to 95 printable characters, only 2 53 possible passwords.
39 Rainbow Tables Faster cracking by trading space for time: Dictionary of passwords and their hashes Contains all passwords < length n Find password by looking up hash in table GPU cracking fast enough to reduce importance.
40 Salts Add random, public data to password to create key. Any word may be encrypted in 2 n possible ways: Your password always uses same n-bit salt. Someone else with same password (a) probably has different salt, and thus different c = f(a). Traditional UNIX crypt had a 12-bit salt Number of possible keys increased to 2 66 Too small for today. Modern UNIX uses slower hash + larger salt.
41 Modern Hashing Schemes SHA512crypt (Linux, Mac OS X) unlimited length passwords 5000 iterations 16 character salt Bcrypt (55 character long passwords, 128-bit salt) Based on modified (slower) Blowfish encryption algorithm. Configurable iteration count for hashing. Increases cost of guessing on a per-account basis. PBKDF2 (Password-Based Key Derivation Function 2) Framework with configurable hash, iterations, salt. (.NET) Scrypt Sequential, memory-hard hashing algorithm. Defense against specialized hardware (GPUs, ASICs, FPGAs) None of these can be attacked via GPU cracking today.
42 Windows 2000/XP Passwords Storage %systemroot%\system32\config\sam locked while NT running %systemroot%\repair\sam_ backup file may be accessible via remote registry calls Format LAN Manager (LM) Hash NT (MD4) Hash
43 Windows LM Hash Algorithm 1. Password fitted to 14 character length by truncating or padding with 0s. 2. Password converted to upper case. 3. Password divided into two 7-byte halves. 4. Each half used as DES key to encrypt same 8-byte constant. 5. Resultant strings merged to form a 16-byte hash value.
44 Windows LM Hash Problems Last 8 bytes of c known if password < 7 chars. Dividing password into halves reducing problem of breaking 14-character password to breaking two 7- character passwords. Conversion to upper case reduces character set. Dictionary of password hashes can be prebuilt Number of possible passwords much smaller than DES space. No salt is used.
45 Windows NT Hash Converts to Unicode, MD4 hashes result Caveat: Often used in conjunction with LM hash, which is required for backwards compatibility. No salt: identical passwords generate identical hashes.
46 Password Selection 1. Random Selection 2. Pronounceable Passwords 3. User Selection
47 Random Selection Yields equal distribution of passwords for maximum difficulty in cracking What about short passwords? Random passwords aren t easy to remember Short term memory holds 7 +/- 2 items People have multiple passwords Principle of Psychological Acceptability Requires a good PRNG
48 Random Selection (Bad)Example PDP-11 password generator 16-bit machine 8 upper-case letters and digits P = 36 8 = 2.8 x At sec/encryption, 140 years to brute force PRNG had period of Only 65,535 possible passwords Requires 102 seconds to try all passwords
49 User Selection Allow users to choose passwords. Reject insecure passwords based on ruleset: 1. Based on account, user, or host names 2. Dictionary words 3. Permuted dictionary words 4. Patterns from keyboard 5. Shorter than 6 characters 6. Digits, lowercase, or uppercase only passwords 7. License plates or acronyms 8. Based on previously used passwords
50 Human Randomness?
51 Bad Passwords
52 How to Select Good Passwords 1. Long passwords, consisting of multiple words.. Use n th letter of each word if phrase too long. 2. Themes: 1. Word combinations: 3 blind katz 2. or URL: yoda@strong-this-password-is.net 3. Phone number: (888) 888-eight eight 4. Bracketing: Starfleet -> *!-Starfleet-!* 5. Add a word: shopping -> Goin shopping 6. Repetition: Pirate--PirateShip 7. Letter swapping: Sour Grape -> Gour Srape
53 Miseducating Users?
54 Online Attacks If complements not accessible, attacker must use authentication functions to do an online attack. Cannot be prevented. To increase difficulty of auth function attack: Backoff: increasing wait before allowing another guess. Disconnection: disconnect after n failures. Disabling: disable account after n failures. Jailing: permit access to limited system, so admins can observe attacker.
55 Side Channel Attacks are Easier Web sites will you password if you answer a simple secret question: 1. What is your favorite color? 2. What is your pet s name? 3. What is your mother s maiden name? Violation of fail-safe defaults Failover to less secure protocol. How many favorite colors are there?
56 Graphical Passwords Face Scheme: Password is sequence of faces, each chosen from a grid of 9 faces. Story Scheme: Password is sequence of images, each chosen from a grid of 9, to form a story.
57 Challenge-Response Problem: passwords are reusable, and thus subject to replay attacks. Solution: authenticate in such a way that the transmitted password changes each time.
58 One-Time Passwords A password that s invalidated once used. Challenge: number of authentication attempt Response: one-time password Problems Generation of one-time passwords Use hash or cryptographic function Synchronization of the user and the system Number or timestamp passwords
59 Key Points 1. Access control is based on identity. 2. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user s identity 1. something you know (passwords) 2. something you have (security tokens) 3. something you are (biometrics) 3. Dictionary attacks can break password security Rainbow tables trade space for time to speedup cracking. Special hardware (GPUs) and parallelization can speedup. 4. Stored passwords are secured by Hashing (possibly with multiple iterations) Salting 5. One-time passwords offer greater security.
60 References 1. Phil Agre. Your Face is not a Bar Code, Ross Anderson, Security Engineering, 2 nd edition, Wiley, Matt Bishop, Introduction to Computer Security, Addison-Wesley, Mark Burnett and Dave Kleiman, Perfect Passwords, Syngress, Lorie Faith Cranor and Simson Garfinkel, Security and Usability, O Reilly, Dan Goodin, Why passwords have never been weaker and crackers have never been stronger, Ars Technica, Goodrich and Tammasia, Introduction to Computer Security, Pearson, Cynthia Kuo et. al., Human Selection of Mnemonic Phrase-based Passwords, SOUPS 2006, Bruce Schneier, Biometrics: Truths and Fictions, Cryptogram, Bruce Schneier, The Curse of the Secret Question, Solar Designer, Password hashing at scale, YaC 2012, Scale/, 2012.
CIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Passwords CIT 380: Securing Computer Systems Slide #1 Topics 1. Password Systems 2. Password Cracking 3. Hashing and Salting 4. UNIX Password Systems 5. Windows Password
More informationCIT 380: Securing Computer Systems
Authentication Slide #1 Topics 1. Identity 2. Groups and Roles 3. Network Identities 4. Authentication 5. Biometrics 6. UNIX Authentication Slide #2 What is Identity? Computer s representation of an entity
More informationTopics. Authentication System. Passwords
Passwords Topics 1. Password Systems 2. Password Attacks 3. Mitigating Attacks 4. Graphical passwords 5. One-time passwords Authentication System A: set of authentication information information used by
More informationCIT 480: Securing Computer Systems. Authentication
CIT 480: Securing Computer Systems Authentication Topics 1. Digital Identity and Groups 2. Authentication 3. Formal Definition 4. Authentication Types 5. Tokens 6. Biometrics 7. UNIX Authentication Digital
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationLecture 9 User Authentication
Lecture 9 User Authentication RFC 4949 RFC 4949 defines user authentication as: The process of verifying an identity claimed by or for a system entity. Authentication Process Fundamental building block
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 8 Feb 24, 2015 Authentication, Identity 1 Objectives Understand/explain the issues related to, and utilize
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationHands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationHands-On Network Security: Practical Tools & Methods
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationAuthentication Objectives People Authentication I
Authentication Objectives People Authentication I Dr. Shlomo Kipnis December 15, 2003 User identification (name, id, etc.) User validation (proof of identity) Resource identification (name, address, etc.)
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 2 Password Authentication Roadmap Password Authentication
More informationChapter 3: User Authentication
Chapter 3: User Authentication Comp Sci 3600 Security Outline 1 2 3 4 Outline 1 2 3 4 User Authentication NIST SP 800-63-3 (Digital Authentication Guideline, October 2016) defines user as: The process
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown User Authentication fundamental security building
More informationPassword cracking. IN Ethical Hacking. Bruvoll & Sørby. Department of Informatics 1 / 46
Password cracking IN5290 - Ethical Hacking Bruvoll & Sørby Department of Informatics 2018 1 / 46 Agenda About passwords Cracking passwords 2 / 46 About passwords 3 / 46 Passwords as authentication Providing
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (3 rd Week) 3. User Authentication 3.Outline Electronic User Authentication Principles Password-Based Authentication Token-Based Authentication Biometric
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationAuthentication. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Authentication Murat Kantarcioglu Authentication Overview Basics Passwords Challenge-Response Biometrics Location Multiple Methods Basics
More informationT H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Authentication EECE 412 Copyright 2004-2007 Konstantin Beznosov What is Authentication? Real-world and computer world examples? What is a result
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 9: Authentication Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Definition of entity authentication Solutions password-based
More informationCSC 405 Introduction to Computer Security
CSC 405 Introduction to Computer Security Topic 4. Security in Conventional Operating Systems -- Part II 1 Basic Concepts of UNIX Access Control: Users, Groups, Files, Processes Each user has a unique
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationCIS 4360 Secure Computer Systems Biometrics (Something You Are)
CIS 4360 Secure Computer Systems Biometrics (Something You Are) Professor Qiang Zeng Spring 2017 Previous Class Credentials Something you know (Knowledge factors) Something you have (Possession factors)
More informationPasswords. EJ Jung. slide 1
Passwords EJ Jung slide 1 Basic Problem? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 2 Many Ways to Prove Who You Are What
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/1516/ Chapter 4: 1 Chapter 4: Identification & Authentication Chapter 4: 2 Agenda User authentication Identification & authentication Passwords
More informationAuthentication. Amit Konar Math and Computer Sc., UMSL
Authentication Amit Konar Math and Computer Sc., UMSL What is Authentication? Authentication is the binding of an identity to a subject. Subjects act on behalf of some other, external entity. The identity
More informationLecture 3 - Passwords and Authentication
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 What is authentication? Reliably verifying
More informationCSC 474 Network Security. Authentication. Identification
Computer Science CSC 474 Network Security Topic 6. Authentication CSC 474 Dr. Peng Ning 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication Technologies
Authentication Technologies 1 Authentication The determination of identity, usually based on a combination of something the person has (like a smart card or a radio key fob storing secret keys), something
More informationAuthentication. Tadayoshi Kohno
CSE 484 / CSE M 584 (Winter 2013) Authentication Tadayoshi Kohno Thanks to Vitaly Shmatikov, Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Bennet Yee, and many others for sample
More informationGoals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack
Last Updated: Nov 7, 2017 Goals Understand UNIX pw system How it works How to attack Understand Lamport s hash and its vulnerabilities History of UNIX passwords Originally the actual passwords were stored
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication. Identification. AIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationPasswords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014
Passwords CSC 193 WAKE FOREST U N I V E R S I T Y Department of Computer Science Spring 2014 Unix Passwords In Unix, users are identified by user names Authenticated by passwords Therefore to login as
More informationAuthentication System
A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication
More informationCSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018 Previous Class Credentials Something you know (Knowledge factors) Something you have (Possession factors)
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationAuthentication KAMI VANIEA 1
Authentication KAMI VANIEA FEBRUARY 1ST KAMI VANIEA 1 First, the news KAMI VANIEA 2 Today Basics of authentication Something you know passwords Something you have Something you are KAMI VANIEA 3 Most recommended
More informationAuthentication. Chapter 2
Authentication Chapter 2 Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationComputer Security (EDA263 / DIT 641)
Computer Security (EDA263 / DIT 641) Lecture 4: Passwords Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Sweden Bad passwords Names (own, wife, child, dog,
More informationIn this unit we are continuing our discussion of IT security measures.
1 In this unit we are continuing our discussion of IT security measures. 2 One of the best security practices in Information Security is that users should have access only to the resources and systems
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationAuthentication CHAPTER 17
Authentication CHAPTER 17 Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance
More informationJérôme Kerviel. Dang Thanh Binh
Dang Thanh Binh Jérôme Kerviel Rogue trader, lost 4.9 billion Largest fraud in banking history at that time Worked in the compliance department of a French bank Defeated security at his bank by concealing
More informationCOMPGA12 1 TURN OVER
Applied Cryptography, COMPGA12, 2009-10 Answer ALL questions. 2 hours. Marks for each part of each question are indicated in square brackets Calculators are NOT permitted 1. Multiple Choice Questions.
More information5/13/2015 2:54 PM. All your passwords are belong to us. Authorities dig through prescription med databases thanks to pre-digital age precedent.
All your passwords are belong to us. by Dan Goodin - Dec 9, 2012 4:00pm PST Authorities dig through prescription med databases thanks to pre-digital age precedent. Welcome to Radeon City, population: 8.
More informationCNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management
CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management Authentication Methods Authentication Methods Type 1: Something you know Easiest and weakest method
More informationCIS 6930/4930 Computer and Network Security. Topic 6. Authentication
CIS 6930/4930 Computer and Network Security Topic 6. Authentication 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication Allow a user to
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Radu Sion Passwords 2005-12 portions Matt Bishop Authentication Basics Passwords Storage Selection Breaking them Other methods Multiple methods Systems Security
More informationWho are you? Enter userid and password. Means of Authentication. Authentication 2/19/2010 COMP Authentication is the process of verifying that
Who are you? Authentication COMP620 Authentication is the process of verifying that the user or system is who they claim li to be. A system may be acting on behalf of a given principal. Authentication
More informationSumy State University Department of Computer Science
Sumy State University Department of Computer Science Lecture 1 (part 2). Access control. What is access control? A cornerstone in the foundation of information security is controlling how resources are
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationFrontline Information Protection
Frontline Information Protection a presentation to the Phoenix Chapter of ISACA by Hoyt L Kesterson II October 2014 OBSERVATION Most successful attacks spring from weakly-coded web pages or compromised
More informationUser Authentication and Passwords
User Authentication and : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 Y12S2L11, Steve/Courses/2012/s2/css322/lectures/passwords.tex,
More informationO/S & Access Control. Aggelos Kiayias - Justin Neumann
O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation
More informationTABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure
TABLE OF CONTENTS 1.0 General Statement... 3 2.0 Purpose... 3 3.0 Scope... 3 4.0 Procedure... 3 4.1 General... 3 4.2 Requirements... 4 4.3 Guidelines... 4 5.0 Failure to comply... 6 2 1.0 GENERAL STATEMENT
More informationChapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.
Chapter 2: Access Control and Site Security ACIS 5584 E-Commerce Security Dr. France Belanger Panko, Corporate Computer and Network Security Copyright 2002 Prentice-Hall Access Control Definitions Access
More informationCNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks Topics Password Management Online Password Attacks Offline Password Attacks Dumping Passwords from RAM Password Management Password Alternatives
More informationAuthentication CS 136 Computer Security Peter Reiher January 22, 2008
Authentication CS 136 Computer Security Peter Reiher January 22, 2008 Page 1 Outline Introduction Basic authentication mechanisms Authentication on a single machine Authentication across a network Page
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationUser Authentication. Daniel Halperin Tadayoshi Kohno
CSE 484 / CSE M 584 (Autumn 2011) User Authentication Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationT H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Authentication What is Authentication? Real-world and computer world examples? What is a result of authentication? What are the means for in
More informationExercises with solutions, Set 2
Exercises with solutions, Set 2 EITF55 Security, 2019 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More information5. Authentication Contents
Contents 1 / 47 Introduction Password-based Authentication Address-based Authentication Cryptographic Authentication Protocols Eavesdropping and Server Database Reading Trusted Intermediaries Session Key
More informationBTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security
BTEC Level 3 Unit 32 Network System Security Password Authentication and Protection Passwords Why are they important? Passwords are cheap to deploy, but also act as the first line of defense in a security
More informationUser Authentication. E.g., How can I tell you re you?
User Authentication E.g., How can I tell you re you? 1 The Basics Unlike real world authentication (e.g., you recognize someone s voice over the phone) computer can t recognize someone (well, not in the
More informationAuthentication. Steven M. Bellovin January 31,
Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to do Identification is whom you claim to be be Authentication
More informationAuthentication and passwords
Authentication and passwords Passwords The Key Idea Prover sends a password to a Verifier. The channel must be private If an attacker obtains a user s password, he can authenticate as her. Passwords must
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationAuthentication. Steven M. Bellovin September 26,
Authentication Steven M. Bellovin September 26, 2009 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to
More informationMessage Networking 5.2 Administration print guide
Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationSession objectives. Identification and Authentication. A familiar scenario. Identification and Authentication
Session objectives Background Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 3 Recognise the purposes of (password) identification.
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 1 Authentication and Authorization Fundamental mechanisms to enforce security on a system Authentication:
More informationCIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies
CIT 470: Advanced Network and System Administration Accounts and Namespaces CIT 470: Advanced Network and System Administration Slide #1 Topics 1. Namespaces 2. Policies 1. selection 2. lifetime 3. scope
More informationMANAGING LOCAL AUTHENTICATION IN WINDOWS
MANAGING LOCAL AUTHENTICATION IN WINDOWS Credentials Manager Windows OS has a set of tools that help remedy some of the authentication challenges. For example, the Credential Manager in Windows 7 and newer
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 13 Announcements Talk today: 3:00 Wu & Chen Auditorium Boon Thau Loo "Declarative Networking: Extensible Networks with Declarative Queries"
More informationCSCI 667: Concepts of Computer Security
CSCI 667: Concepts of Computer Security Lecture 8 Prof. Adwait Nadkarni Derived from slides by William Enck, Micah Sherr, Patrick McDaniel and Peng Ning 1 2 Announcements Project Proposals due Tonight,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationInformation Security in Systems and Networks
Information Security in Systems and Networks November 30, 2006 Damira Pon University at Albany, SUNY 1 Password Protection 2 Passwords Everywhere the Eye can See 3 Passwords Basic Problem How do you prove
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationProcesses and authentication
Processes and authentication UNIX process hierarchy ssh b146-* pstree -p less -S pstree -pu crandall lsof -p31009 nc -l 20202 & lsof -p31626 kill -9 31626 Process 1 Process 2 Process 3 System calls Kernel
More informationCHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM
109 CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM Security is considered to be the most critical factor in many applications. The main issues of such
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationHY-457 Information Systems Security
HY-457 Information Systems Security Recitation 1 Panagiotis Papadopoulos(panpap@csd.uoc.gr) Kostas Solomos (solomos@csd.uoc.gr) 1 Question 1 List and briefly define categories of passive and active network
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationCOMPUTER PASSWORDS POLICY
COMPUTER PASSWORDS POLICY 1.0 PURPOSE This policy describes the requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft. Passwords
More informationEvaluating Alternatives to Passwords
Security PS Evaluating Alternatives to Passwords Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Authentication Model Authenticator
More information