Pattern Recognition and Applications Lab AUTHENTICATION. Giorgio Giacinto.

Transcription

1 Pattern ecognition and Applications Lab AUTHENTICATION Giorgio Giacinto Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Authentication and Authorization Authentication verification of the identity of the person (or process) the act of proving that a user is who she says she is Authorization verification of the privileges of a user on the resources he has access to Access matrix 2

2 Authentication mechanisms What you are biometrics (fingerprints, face, iris, etc.) What you have card, keys, etc. What you know a secret, such as a password, security question, PIN, etc. Multifactor authentication when multiple methods are used at the same time e.g., card + password 3 Username and Password Most common authentication mechanism The username provides the identity while the password is used for authentication The password is stored after encryption Verification is performed by comparing the encrypted password with the encrypted password provided by the user Weak passwords can be guessed by a dictionary attack against the password file - John the ipper password cracker 4

3 User-chosen password weaknesses password qwerty letmein football 10. iloveyou 11. admin 12. welcome 13. monkey 14. login 15. abc starwars dragon 19. passw0rd 20. master 5 Attacks on Something You Know Dictionary attacks Inferring likely passwords/answers Guessing Defeating encryption Exhaustive or brute-force attack Other good passwords 14% One character 0% Two characters 2% Three characters 14% Words in dictionaries or lists of names 15% Four characters, all letters 14% Six letters, lowercase 19% Five letters, all same case 22% 6

4 One-Time Password OTP A random password is generated by the server for onetime use (very short time-to-live) either the client runs the same algorithm and generates the same random password or the OTP is sent out-of-band (i.e., via SMS) 7 Biometrics More difficult to spoof Problem: user acceptance (intrusiveness) Need for advanced (expensive) sensors and algorithms for high accuracy 8

5 Selection of the authentication method Value of the assets Cost of the authentication solution Hardware, software, maintenance, user training, user acceptance, etc. Weaknesses of the solution technical, organizational, etc. 9 Federated Authentication and Single Sign-On

6 Federated Authentication User Identity Manager (performs authentication) Authenticated Identity Application (no authentication) Application (no authentication) Application (no authentication) 11 Single Sign-On User Password Authentication Application Single Sign-On Shell Token Authentication Application Identification and Authentication Credentials Authentication Application 12

7 Federated Identity Management (FIdM) 2 Authentication/ Authorization equest Authorization esponse 5 3 Third-Party Service Provider 6 Access equest Access esponse 1 Authentication equest Authentication Credentials Identity Management System 4 User 13 Kerberos Designed at MIT at the end of the 80s Authentication in distributed systems Public key cryptography 14

8 Kerberos Login 15 esource Access equest Example: request access to a file F the user negotiate with the TGS a session key that will be used for the communication between the user and the file server U TGS: {A, F} SG TGS U: {T S, L, S F, F, {T S, L, S F,U}S GF }S G U F: {T S, L, S F, U}S GF {A, T A }S F F U: {T A +1}S F T A e T S represent timestamps L is the time-to-live of the ticket 16

9 Security Assertion Markup Language (SAML) An XML-based standard that defines a way for systems to securely exchange user identity and privilege information is an example of a federated identity solution, open source, based on SAML UniCA uses Shibboleth for federated authentication The Italian Public System for Digital Identities (SPID) is based on SAML2 17 OAuth OAuth is an authorization standard OAuth enables a user to allow third-party applications to access APIs on that user s behalf for example, OAuth is called when Facebook asks a user if a new application can have access to his photos No password is shared 18

10 OAuth Standard IETF (FC 6749) 19 OAuth 20

11 OAuth Providers Facebook Google+ Amazon Dropbox OpenID Connect (OIDC) OAuth has been extended to support authentication in the form of OIDC OIDC is a relatively new standard for FIdM OIDC provides much better support for native applications (versus web applications) than does SAML Works by adding an identity token to the existing authorization tokens, essentially treating identity information as another authorization right 22

12 Authorization Access Policies Goals Check every access Enforce least privilege Verify acceptable usage Track users access Enforce at appropriate granularity Use audit logging to track accesses 24

13 Implementing Access Control eference monitor Access control directory Access control matrix Access control list Privilege list Capability Procedure-oriented access control ole-based access control 25 eference Monitor 26

14 Access Control Directory User A Directory File Name Access ights File Pointer Files File Name User B Directory Access File ights Pointer POG1.C OW BIBLIOG POG1.EXE OX TEST.TMP OX BIBLIOG OW PIVATE OW HELP.TXT HELP.TXT TEMP OW 27 Access Control Matrix 28

15 Access Control List File BIBLIOG Directory Access Lists Files Access List Access Pointer User ights BIBLIOG USE_A OW TEMP USE_B F USE_S W TEMP HELP.TXT USE_A OW USE_A OW F USE_S USE_A HELP.TXT USE_B USE_S USE_T SYSMG W USE_SVCS O 29 Directory Services Hierarchical archive for Identities Certificates Digital ights Management LDAP (Lightweight Directory Access Protocol) Many commercial variants (Microsoft Active Directory, IBM Tivoli, etc.) open source openldap 30