Authentication and passwords
|
|
- Caroline Johnston
- 5 years ago
- Views:
Transcription
1 Authentication and passwords
2 Passwords
3 The Key Idea Prover sends a password to a Verifier. The channel must be private If an attacker obtains a user s password, he can authenticate as her. Passwords must be hard to guess But easy to remember, so that they don t have to be written down. We need to balance security and usability. E.g., Passwords should be changed frequently But this change shouldn t be mandatory
4 Issues with passwords Need to examine: Choosing the password And how to set and change it Storing the password on each side cryptography software / hardware security Using/typing the password: *** vs shoulder surfing Transmitting the password encrypted in some way? not guaranteed to be sufficient
5 Users have the right to be bad. Bad User?
6 Attacks Taxonomy Discovering shoulder surfing device malware keyboard logger eavesdropping / sniffing from network stealing from a server spoofing (fake login page) Guessing and verifying the guess online offline
7 Password guessing Online guessing Attacker attempts to access system and submits a guess of the password Attacker can be thwarted by rate limiting Offline guessing Attacker checks a guess of the password against captured data Attacker does checking in private; cannot be thwarted by rate limiting Target: against one particular user many users, target any one: can be easier! target many users
8 Password strength
9
10 Entropy of a Source Let X be a random variable (with a finite or infinite number of possible outcomes x i ). The entropy of X [Shannon] is: H(X) = - Σ x Pr[X=x] log 2 Pr[X=x] Suppose x i has probability p i of occurring. Then H(X) = - Σ i p i log 2 p i = Σ i p i log 2 (1/p i )
11 Let X be a toss of a fair coin x1 = heads, p1 = 0.5 Examples x2 = tails, p2 = 0.5 H(X) = log 2 (0.5) log 2 (0.5) = 1 Thus, exactly as one would expect, a fair coin toss carries exactly one bit of information. Let X be a toss of a biased coin x1 = heads, p1 = 0.3 x2 = tails, p2 = 0.7 H(X) = log 2 (0.3) 0.7 log 2 (0.7) = 0.88 So a biased coin carries less information (it s more predictable). By the same calculation, a 0.01, 0.99 biased coin carries 0.02 bits of information.
12 Application to passwords Let X be a password selected from 8 character strings formed from the alphabet A-Z a-z 0-9!@$%^&*()_-=+\ ;., Say the alphabet has = 80 characters Passwords have length 8, so there are 8 80 = possibilities. The entropy is 240 bits. Σ (1/2 240 ) log 2 (2 240 ) = 240. Sounds great but that s assuming every password is as likely as every other one. We know password123, letmein are much more likely And j&fr}5=x very unlikely. So what is the true entropy in typical password scenarios?
13
14 Approximating real-life passwords Let s assume that 20% of the users pick a very bad password Paswords like password, pa$$w0rd, and each of the (say) 20 other variations Also words like letmein, , qwerty,, and their variations Say there are 200 similar passwords. Another 30% of the users chose dictionary words with a number at the end, like laptop3 Say there are 1000 words, 10 numbers = such passwords Another 40% of them did it slightly better: lovelife^$& Say there are 1000 words, 1000 decorations = 10 6 such passwords That leaves a remaining 10%... 4% picked from 10 8 passwords 4% picked from passwords 2% picked from the remaining such passwords
15 Calculating the entropy There are 200 passwords each with probability 0.2*1/200 Σ 200 -(0.2 * 1/200) log 2 (0.2 * 1/200) = 1.99 And passwords, each with prob 0.3*1/10000 Σ (0.3 * 1/10000) log 2 (0.3 * 1/10000) = passwords, each with prob 0.4 * 1/10 6 Σ (0.4 * 1/10 6 ) log 2 (0.4 * 1/10 6 ) = passwords, each with prob 0.04 * 1/10 8 Σ (0.04 * 1/10 8 ) log 2 (0.04 * 1/10 8 ) = passwords, each with prob 0.04 * 1/10 20 Σ (0.04 * 1/10 20 ) log 2 (0.04 * 1/10 20 ) = passwords, each with prob 0.02 * 1/10 72 Σ (0.02 * 1/10 72 ) log 2 (0.02 * 1/10 72 ) = 4.8 Total: 24 bits of entropy on average And check that our probabilities add up to 1.
16 Battery horse staple Let s say you use a dictionary of 90,000 words /usr/share/dict/words has 99,171 words on my system Computer chose 4 words uniformly at random Like correct battery horse staple This gives us possibilities, that s possibilities So it s about 66 bits of entropy Let s calculate the entropy with the log formula There are passwords, each with probability 1/ Σ (1/ ) log 2 (1/ ) = 65.8 That s great. But how usable is it? Say you have 40 passwords to remember...
17 User-chosen vs system-generated? 99% of systems including most banks allow people to chose their passwords. This makes them much less secure. lower entropy in general even for security-aware users, humans are UNABLE to generate really random numbers; entropy is just lower But hard to make system-generated passwords memorable.
18 Core password problem Impossible situation for humans: Secure => uniformly random (chosen by machine) => not memorable by humans Passwords must be different for every service. Usually implies compromise betw. memorable and random Passwords are chosen by the user (memorable) But aim to be as random as possible, e.g. Passwords must have mix of A-Z a-z 0-9 $%^&*() Must change every 6 months, must be different from previously chosen 10 pwds Increasingly popular: password managers Passwords chosen by machine, stored in pwd manager User just remembers one password, to unlock the manager Problem: single point of failure, from both security and availability points of view.
19 Secondary passwords (pwd recovery service) Two problems: Usually less secure, backdoor entry point Sarah Palin hack: Yahoo account of USA vice presidential candidate was accessed by David Kernell in Sept 2008, who looked up bio details including high school and birthdate and used Yahoo s password recovery service. Legitimate users fail to pass. Most these questions such as the name of your first pet do or your fist car do not have a unique answer problems with spelling, capital letters etc. users may deliberately put incorrect information anyway
20 Password Storage
21 Password Storage and Verification How to store a password p? Method 1: store p. VERY BAD! Unnecessary point of failure. Attacker might obtain all the passwords. If a website is able to remind you of your pwd, it s storing them: rubbish website. Not needed! Key concept: OWF = One-Way Function.
22 Password Storage and Verification Method 2: store h(p). Better but Brute force attacks possible, even though h is a OWF. If an attacker obtains all the password hashes, it can try to guess them, and check the guesses offline. Simple use of a OWF does protect strong passwords, but it doesn t adequately protect weak ones.
23 Password Storage and Verification Method 2: store h(p). This method allows an attacker to guess a password and verify it against all the users in one go For each guessed p, just check if h(p) is in the password file.
24 Password Storage and Verification Method 3: Key idea: make sure identical passwords are stored differently. Example 1: store h(name, p). Example 2: store h(salt, p), salt. With salt being a random shadow ID for this user. Unix originally stored h(p) in readable /etc/passwd Now it stores h(salt,p),p in /etc/shadow, readable only by root: defence in depth now cannot relate passwords from different users, removes the faster dictionary attack form the last slide
25 So is it better to store: Method 3A: store h(name, machine ID, salt, password), salt?
26 Slow hash functions Instead of using a plain hash function, one can use one that is deliberately slow This slows down the attacker who is doing offline guessing. It adds small cost to the verification process hopefully negligible. PBKDF2 (standardised in 2000) iterates 1000 times (or 10000). Unfortunately, can be done very fast on ASICs or GPUs bcrypt (1999) needs more RAM, resists better. scrypt can use arbitrarily large amounts of memory, resists better
27 Lots of password leaks In June 2012 a file containing over six million password hashes which allegedly originated from LinkedIn was widely circulated over the Internet. Hashes were not salted. Later, hackers found out lots of passwords using rainbow tables and dictionary attacks. Many cracked passwords contained "linked" or even "linkedin ; for example "lawrencelinkedin". Even passwords such as "parikh ", "a06v1203n08" and "376417miata? " have already been cracked
28 Ashley Madison In July 2015, a group calling itself The Impact Team stole the user data of Ashley Madison, a website aiming to enable extramarital affairs. Passwords were salted, and hashed with bcrypt. This means strong passwords are safe, but weak ones can still be brute-forced. Five days of cracking revealed 4000 passwords out of 36M (1%) (202), password (105), (99), qwerty (32), (31), ashley (28), baseball (27), etc. Caveat: maybe some users picked weak passwords because they entered throw-away data
29 Case study: Firefox password mgt (see other slides)
30 Limited disclosure schemes Used by many banks, please type digits 1,3,4 and the last. * * * * Addresses: malware on client; shoulder surfing; keyboard logger Does not address: theft of password file from server Quiz: if failed, should the system ask the same or different subset?
31 Limited disclosure schemes How to store these passwords? Store in the usual way, h(p,salt),salt? Doesn t work! Store individual characters, h(c1,salt1),h(c2,salt2),? Insecure! Something else?
32 Key properties: One-Time Passwords (OTP) The password is changed each time The attacker cannot know it in advance, real-time man-in-middle attacks remain possible
33 Lamport OTP Scheme Based on OWF. Use hash chains, go backwards. Let x 1 =h(x), x 2 =h(x 1 ),, x 1000 =h(x 999 ). Store x 1000 on the server. Small storage. Fast. Go backwards: passwords are x 999, then x 998, then Each x i allows to log-in only once. If user submits p, server checks if h(p)=x. If true, then x:=p, and login is accepted. User keeps a sheet with x 999, x 998, x 997, x 996. Problem: can be photocopied and the user still has it, naively thinking it is secure
34 => PC login Time-synchronized OTP
35 Time-synchronized OTP Code is fixed for s. Window of opportunity: 30 s, second session possible connected from another location
36 Challenge-Response Protocols
37 K Challenge is a random nonce K A random B A, MAC K (random B, B) B
38 K Challenge is time or counter K A A, tc, MAC K (tc, B) B can also use a block or stream cipher, used as a MAC
39 Counters, nonces, timestamps Challenge = random nonce (best solution) Counter/sequence number as a static challenge E.g., wireless car key sends id, MAC K (id, counter), where k shared between key and car Time as a challenge difficult to make secure Need reliable, synchronised clocks Challenge to make granularity small enough
40 Unilateral vs bilateral authentication Unilateral auth is historically very popular. Examples: password -> login SIM card -> GSM base station (fixed in 3G) offline bank card transactions -> Point of Sale terminal Problems: login page spoofing etc. false GSM base stations false ATMs
41 Bilateral authentication Really important on the web, to try to prevent phishing attacks TLS Problems: Key certification
Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack
Last Updated: Nov 7, 2017 Goals Understand UNIX pw system How it works How to attack Understand Lamport s hash and its vulnerabilities History of UNIX passwords Originally the actual passwords were stored
More informationID protocols. Overview. Dan Boneh
ID protocols Overview The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applications: physical world Physical locks: (friend-or-foe) Wireless
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationCS 161 Computer Security
Popa & Weaver Fall 2016 CS 161 Computer Security 10/4 Passwords 1 Passwords are widely used for authentication, especially on the web. What practices should be used to make passwords as secure as possible?
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationThe LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords
The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords LinkedIn was breached in 2012 with a reported 6.5 million user accounts compromised. LinkedIn sent a request to known hacked users
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationLecture 3 - Passwords and Authentication
Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 What is authentication? Reliably verifying
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationComputer Security & Privacy
Computer Security & Privacy Melissa Winstanley (mwinst@cs.washington.edu) (based on slides by Daniel Halperin) How exploration sessions work You get 1/3 point of extra credit for each session Attendance
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationAuthentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)
Authentication SPRING 2018: GANG WANG Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU) Passwords, Hashes, Salt Password database Username Plaintext Password Not a good idea to store plaintext
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationIntroduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 09 Now, we discuss about the insecurity of passwords.
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationInformation Security CS 526
Information Security CS 526 Topic 7: User Authentication CS526 Topic 7: User Authentication 1 Readings for This Lecture Wikipedia Password Password strength Salt_(cryptography) Password cracking Trusted
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationPasswords. Secure Software Systems
1 Passwords 2 Password Lifecycle Change/Reset Password Create Password (user choice) Use Password (user supplies for auth) Store Password (with user identifier) 3 Password Creation 4 Password Creation
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 2 Password Authentication Roadmap Password Authentication
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationRethinking Authentication. Steven M. Bellovin
Rethinking Authentication Steven M. https://www.cs.columbia.edu/~smb Why? I don t think we understand the real security issues with authentication Our defenses are ad hoc I regard this as a step towards
More informationMU2b Authentication, Authorization and Accounting Questions Set 2
MU2b Authentication, Authorization and Accounting Questions Set 2 1. You enable the audit of successful and failed policy changes. Where can you view entries related to policy change attempts? Lesson 2
More informationComputer Security (EDA263 / DIT 641)
Computer Security (EDA263 / DIT 641) Lecture 4: Passwords Erland Jonsson Department of Computer Science and Engineering Chalmers University of Technology Sweden Bad passwords Names (own, wife, child, dog,
More informationCSC 474 Network Security. Authentication. Identification
Computer Science CSC 474 Network Security Topic 6. Authentication CSC 474 Dr. Peng Ning 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationCS530 Authentication
CS530 Authentication Bill Cheng http://merlot.usc.edu/cs530-s10 1 Identification vs. Authentication Identification associating an identity (or a claimed identity) with an individual, process, or request
More informationHands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationHands-On Network Security: Practical Tools & Methods
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 4 Password Strength & Cracking Roadmap
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication. Identification. AIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 1 Authentication and Authorization Fundamental mechanisms to enforce security on a system Authentication:
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationSECURED PASSWORD MANAGEMENT TECHNIQUE USING ONE-TIME PASSWORD PROTOCOL IN SMARTPHONE
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 3, March 2014,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication
More informationSeamless Upgrades for Credential Security in Apache Tomcat
Seamless Upgrades for Credential Security in Apache Tomcat Christopher Schultz Chief Technology Officer Total Child Health, Inc. * Slides available on the Linux Foundation / ApacheCon2017 web site and
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationPRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B
PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT 800-63B MOTIVATION DATABASE LEAKAGE ADOBE 152,982,479 Encrypted with 3DES ECB Same password == same ciphertext https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown User Authentication fundamental security building
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationAuthentication KAMI VANIEA 1
Authentication KAMI VANIEA FEBRUARY 1ST KAMI VANIEA 1 First, the news KAMI VANIEA 2 Today Basics of authentication Something you know passwords Something you have Something you are KAMI VANIEA 3 Most recommended
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationPYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER
PYTHIA SERVICE WHITEPAPER BY VIRGIL SECURITY WHITE PAPER May 21, 2018 CONTENTS Introduction 2 How does Pythia solve these problems? 3 Are there any other solutions? 4 What is Pythia? 4 How does it work?
More informationCIS 6930/4930 Computer and Network Security. Topic 6. Authentication
CIS 6930/4930 Computer and Network Security Topic 6. Authentication 1 Authentication Authentication is the process of reliably verifying certain information. Examples User authentication Allow a user to
More informationSystem-Level Failures in Security
System-Level Failures in Security Non linear offset component (ms) 0.0 0.5 1.0 1.5 2.0 Variable skew De noised Non linear offset Temperature 26.4 26.3 26.2 26.1 26.0 25.9 25.8 Temperature ( C) Fri 11:00
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationCS Passwords, part 2. Prof. Clarkson Spring 2016
CS 5430 Passwords, part 2 Prof. Clarkson Spring 2016 Review: Authentication of humans Categories: Something you know password, passphrase, PIN, answers to security questions Something you have physical
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationAuthentication. Steven M. Bellovin January 31,
Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to do Identification is whom you claim to be be Authentication
More informationPasswords. EJ Jung. slide 1
Passwords EJ Jung slide 1 Basic Problem? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 2 Many Ways to Prove Who You Are What
More informationCS255: Dan Boneh. Iden+fica+on Protocols. Authen+ca+ng users. Dan Boneh
CS255: Iden+fica+on Protocols Authen+ca+ng users The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applica+ons Physical locks: (friend- or- foe)
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationContents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Symbolic Links 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hash functions: Generates a unique short code from a large file Uses of hashes MD5, SHA1, SHA2, SHA3 Message Authentication
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users Learning Objectives Explain why authentication is a critical aspect of network security Explain
More informationCryptographic Hash Functions. Secure Software Systems
1 Cryptographic Hash Functions 2 Cryptographic Hash Functions Input: Message of arbitrary size Output: Digest (hashed output) of fixed size Loreum ipsum Hash Function 23sdfw83x8mjyacd6 (message of arbitrary
More informationHow to Build a Culture of Security
How to Build a Culture of Security March 2016 Table of Contents You are the target... 3 Social Engineering & Phishing and Spear-Phishing... 4 Browsing the Internet & Social Networking... 5 Bringing Your
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationSecurity Awareness. Chapter 2 Personal Security
Security Awareness Chapter 2 Personal Security Objectives After completing this chapter, you should be able to do the following: Define what makes a weak password Describe the attacks against passwords
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 9: Authentication Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Definition of entity authentication Solutions password-based
More informationNigori: Storing Secrets in the Cloud. Ben Laurie
Nigori: Storing Secrets in the Cloud Ben Laurie (benl@google.com) April 23, 2013 1 Introduction Secure login is something we would clearly like, but achieving it practically for the majority users turns
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 15 February 29, 2012 CPSC 467b, Lecture 15 1/65 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationUser Authentication and Passwords
User Authentication and : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 31 October 2012 Y12S2L11, Steve/Courses/2012/s2/css322/lectures/passwords.tex,
More informationSecurity Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.
Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol John Jersin Jonathan Wheeler CS259 Stanford University March 20, 2008 Version 1 Security Analysis of Bluetooth v2.1 + EDR Pairing
More informationUnderstanding how to prevent. Sensitive Data Exposure. Dr Simon Greatrix
Understanding how to prevent Sensitive Data Exposure Dr Simon Greatrix Just Trust The Internet! Lots of free advice Opinions to suit all tastes Also has pictures of cats! Not responsible for the collapse
More informationPassword authentication How passwords are compromised How to protect and choose passwords Other types of authentication Biometrics
Password authentication How passwords are compromised How to protect and choose passwords Other types of authentication s Identification Present an identifier to a security system Example: username Authentication
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationMaria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security
Migrant Student Information Exchange (MSIX) Security, Privacy and Account Management Webinar Deloitte Consulting LLP. February 22, 2018 Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor
More informationCOMPUTER PASSWORDS POLICY
COMPUTER PASSWORDS POLICY 1.0 PURPOSE This policy describes the requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft. Passwords
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationOS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)
More informationWireless LAN Security (RM12/2002)
Information Technology in Education Project Reference Materials Wireless LAN Security (RM12/2002) Infrastructure Division Education Department The Government of HKSAR www.ited.ed.gov.hk December 2002 For
More informationPassword cracking. IN Ethical Hacking. Bruvoll & Sørby. Department of Informatics 1 / 46
Password cracking IN5290 - Ethical Hacking Bruvoll & Sørby Department of Informatics 2018 1 / 46 Agenda About passwords Cracking passwords 2 / 46 About passwords 3 / 46 Passwords as authentication Providing
More informationHY-457 Information Systems Security
HY-457 Information Systems Security Recitation 1 Panagiotis Papadopoulos(panpap@csd.uoc.gr) Kostas Solomos (solomos@csd.uoc.gr) 1 Question 1 List and briefly define categories of passive and active network
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationAuthentication. Steven M. Bellovin September 26,
Authentication Steven M. Bellovin September 26, 2009 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to
More informationCONTENTS. Professional part. Paradigm shift Virtual world real security Old rules, howto-s: good for re-thinking Passwords
CONTENTS Professional part Paradigm shift Virtual world real security Old rules, howto-s: good for re-thinking Passwords PARADIGM PARADIGM What is that, how could you describe it? PARADIGM Set of generally
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationCYBER ATTACKS EXPLAINED: WIRELESS ATTACKS
CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS Wireless networks are everywhere, from the home to corporate data centres. They make our lives easier by avoiding bulky cables and related problems. But with these
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More information