Computer Security: Principles and Practice

Similar documents
Lecture 9 User Authentication

COMPUTER NETWORK SECURITY

Undergraduate programme in Computer sciences

Chapter 3: User Authentication

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CS System Security Mid-Semester Review

CSE 565 Computer Security Fall 2018

Computer Security (EDA263 / DIT 641)

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

HY-457 Information Systems Security

MODULE NO.28: Password Cracking

User Authentication. Modified By: Dr. Ramzi Saifan

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

HOST Authentication Overview ECE 525

AA 2015/2016 System hardening (Authentication, Firewalls) Dr. Luca Allodi

Authentication. Steven M. Bellovin January 31,

CNT4406/5412 Network Security

User Authentication Protocols Week 7

User Authentication. Modified By: Dr. Ramzi Saifan

Lecture 14 Passwords and Authentication

CSC 474 Network Security. Authentication. Identification

Raj Jain. Washington University in St. Louis

CS System Security 2nd-Half Semester Review

Information Security & Privacy

Authentication. Steven M. Bellovin September 26,

User Authentication Protocols

Authentication Objectives People Authentication I

CS530 Authentication

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Password authentication How passwords are compromised How to protect and choose passwords Other types of authentication Biometrics

Sumy State University Department of Computer Science

Hands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course

Hands-On Network Security: Practical Tools & Methods

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Network Security Fundamentals

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

Chapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.

Intruders, Human Identification and Authentication, Web Authentication

Intruders and Intrusion Detection. Mahalingam Ramkumar

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Jérôme Kerviel. Dang Thanh Binh

Operating systems and security - Overview

Operating systems and security - Overview

Define information security Define security as process, not point product.

CSCI 667: Concepts of Computer Security

Lecture 3 - Passwords and Authentication

5. Authentication Contents

MANAGING LOCAL AUTHENTICATION IN WINDOWS

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication

Lecture 3 - Passwords and Authentication

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

CNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks

Fundamentals of Linux Platform Security

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

COMPUTER NETWORK SECURITY

Post-Class Quiz: Access Control Domain

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication. Chapter 2

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Module: Identity and Passwords. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Threat Modeling. Bart De Win Secure Application Development Course, Credits to


Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Password. authentication through passwords

Computer Security: Principles and Practice

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Computer Security 3/20/18

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

Maximizing the speed of time based SQL injection data retrieval

Network Security and Cryptography. December Sample Exam Marking Scheme

Authentication. Murat Kantarcioglu

Security and Authentication

Passwords. EJ Jung. slide 1

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

SSH. Partly a tool, partly an application Features:

Authentication. Steven M. Bellovin September 16,

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 19

SE420 Software Quality Assurance

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

Intruders and Intrusion Detection. Mahalingam Ramkumar

Access Controls. CISSP Guide to Security Essentials Chapter 2

Protection and Security. Sarah Diesburg Operating Systems CS 3430

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Pass, No Record: An Android Password Manager

Chapter 15: Security. Operating System Concepts 8 th Edition,

Cryptography and Network Security. Chapter 9 Intruders. Lectured by Nguyễn Đức Thái

Transcription:

Computer Security: Principles and Practice Chapter 3 User Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown

User Authentication fundamental security building block basis of access control & user accountability is the process of verifying an identity claimed by or for a system entity has two steps: identification - specify identifier verification - bind entity (person) and identifier distinct from message authentication 2

Means of User Authentication four means of authenticating user's identity based one something the individual knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (dynamic biometrics) - e.g. voice, sign can use alone or combined all can provide user authentication all have issues 3

Password Authentication widely used user authentication method user provides name/login and password system compares password with that saved for specified login authenticates ID of user logging and that the user is authorized to access system determines the user s privileges is used in discretionary access control 4

Password Vulnerabilities offline dictionary attack specific account attack popular password attack password guessing against single user workstation hijacking exploiting user mistakes exploiting multiple password use electronic monitoring 5

Countermeasures stop unauthorized access to password file intrusion detection measures account lockout mechanisms policies against using common passwords but rather hard to guess passwords training & enforcement of policies automatic workstation logout encrypted network links 6

Use of Hashed Passwords 7

UNIX Implementation original scheme 8 character password form 56-bit key 12-bit salt used to modify DES encryption into a oneway hash function 0 value repeatedly encrypted 25 times output translated to 11 character sequence now regarded as woefully insecure e.g. supercomputer, 50 million tests, 80 min sometimes still used for compatibility 8

Improved Implementations have other, stronger, hash/salt variants many systems now use MD5 with 48-bit salt password length is unlimited is hashed with 1000 times inner loop produces 128-bit hash OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt uses 128-bit salt to create 192-bit hash value 9

Password Cracking dictionary attacks try each word then obvious variants in large dictionary against hash in password file rainbow table attacks precompute tables of hash values for all salts a mammoth table of hash values e.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs not feasible if larger salt values used 10

Password Choices users may pick short passwords e.g. 3% were 3 chars or less, easily guessed system can reject choices that are too short users may pick guessable passwords so crackers use lists of likely passwords e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them would take about 1 hour on fastest systems to compute all variants, and only need 1 break! 11

Password File Access Control can block offline guessing attacks by denying access to encrypted passwords make available only to privileged users often using a separate shadow password file still have vulnerabilities exploit O/S bug accident with permissions making it readable users with same password on other systems access from unprotected backup media sniff passwords in unprotected network traffic 12

Using Better Passwords clearly have problems with passwords goal to eliminate guessable passwords whilst still easy for user to remember techniques: user education computer-generated passwords reactive password checking proactive password checking 13

Proactive Password Checking rule enforcement plus user advice, e.g. 8+ chars, upper/lower/numeric/punctuation may not suffice password cracker time and space issues Markov Model generates guessable passwords hence reject any password it might generate Bloom Filter use to build table based on dictionary using hashes check desired password against this table 14

Token Authentication object user possesses to authenticate, e.g. embossed card magnetic stripe card memory card smartcard 15

Memory Card store but do not process data magnetic stripe card, e.g. bank card electronic memory card used alone for physical access with password/pin for computer use drawbacks of memory cards include: need special reader loss of token issues user dissatisfaction 16

Smartcard credit-card like has own processor, memory, I/O ports wired or wireless access by reader may have crypto co-processor ROM, EEPROM, RAM memory executes protocol to authenticate with reader/computer also have USB dongles 17

Biometric Authentication authenticate user based on one of their physical characteristics 18

Operation of a Biometric System 19

Biometric Accuracy never get identical templates problems of false match / false non-match 20

Biometric Accuracy can plot characteristic curve pick threshold balancing error rates 21

Remote User Authentication authentication over network more complex problems of eavesdropping, replay generally use challenge-response user sends identity host responds with random number user computes f(r,h(p)) and sends back host compares value from user with own computed value, if match user authenticated protects against a number of attacks 22

Authentication Security Issues client attacks host attacks eavesdropping replay trojan horse denial-of-service 23

Practical Application 24

Case Study: ATM Security 25

Summary introduced user authentication using passwords using tokens using biometrics remote user authentication issues example application and case study 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback