Lecture 3 - Passwords and Authentication

Similar documents
Lecture 3 - Passwords and Authentication

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSCI 667: Concepts of Computer Security

Module: Identity and Passwords. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE Computer Security

CSE543 - Introduction to Computer and Network Security. Module: Authentication

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CSE543 - Introduction to Computer and Network Security. Module: Authentication

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

User Authentication. Modified By: Dr. Ramzi Saifan

CSC 474 Network Security. Authentication. Identification

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

User Authentication. Modified By: Dr. Ramzi Saifan

In this unit we are continuing our discussion of IT security measures.

Authentication KAMI VANIEA 1

Sumy State University Department of Computer Science

CS530 Authentication

Information Security CS 526

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

Passwords. EJ Jung. slide 1

Proving who you are. Passwords and TLS

Information Security CS 526

Computer Security 3/20/18

User Authentication and Passwords

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 565 Computer Security Fall 2018

Computer Security 4/12/19

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

MODULE NO.28: Password Cracking

CNT4406/5412 Network Security

Biometrics problem or solution?

Authentication. Steven M. Bellovin January 31,

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Authentication. Steven M. Bellovin September 26,

5-899 / Usable Privacy and Security Text Passwords Lecture by Sasha Romanosky Scribe notes by Ponnurangam K March 30, 2006

===============================================================================

Computer Security & Privacy

HY-457 Information Systems Security

Lecture 9 User Authentication

User Authentication. Daniel Halperin Tadayoshi Kohno

COMPUTER NETWORK SECURITY

HOST Authentication Overview ECE 525

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication

User Authentication. E.g., How can I tell you re you?

Fundamentals of Linux Platform Security

CPSC 467b: Cryptography and Computer Security

CS 161 Computer Security

CS 161 Computer Security

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

Network Security Fundamentals

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

5. Authentication Contents

Hands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course

Hands-On Network Security: Practical Tools & Methods

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Computer Security: Principles and Practice

Lecture 9. Authentication & Key Distribution

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Authentication & Authorization

Operating Systems Security: User Authentication

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

HumanAUT Secure Human Identification Protocols

Lecture 14 Passwords and Authentication

Integrated Access Management Solutions. Access Televentures

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

User Authentication Protocols Week 7


Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Lecture Notes for Chapter 3 System Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

What is a security measure? Types of security measures. What is a security measure? Name types of security measures

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CS Computer Networks 1: Authentication

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

Crypto meets Web Security: Certificates and SSL/TLS

Web Security, Summer Term 2012

Web Security, Summer Term 2012

CSC 580 Cryptography and Computer Security

Authentication. Tadayoshi Kohno

Security and Usability Computer Security: Lecture 9. 9 February 2009 Guest Lecture by Mike Just

2. Access Control. 1. Introduction

Authentication Handshakes

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Outline Key Management CS 239 Computer Security February 9, 2004

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Intruders, Human Identification and Authentication, Web Authentication

Chapter 3: User Authentication

CS System Security Mid-Semester Review

COMPGA12 1 TURN OVER

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

CSC 474/574 Information Systems Security

Transcription:

Lecture 3 - Passwords and Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12

What is authentication? Reliably verifying the identity of someone Q: How do you do this in practice today? A: A human scale protocol? 1. A and B ask for credentials (implicitly or explicitly) 2. B provides credential to A who verifies it 3. A provides credential to B who verifies it Both parties are authenticated: mutual authentication The question is, what credentials do you use? The answer is context specific, where the kinds of credentials and the level of due diligence is related to the tasks for which the entity is being authenticated 2

What is Identity? That which gives you access which is largely determined by context We all have lots of identities Pseudo-identities Really, determined by who is evaluating credential Driverʼs License, Passport, SSN prove Credit cards prove Signature proves Password proves Voice proves Exercise: Give an example of bad mapping between a credential and the purpose for which it was used. 3

Credentials are evidence used to prove identity Credentials can be Something I am Something I have Something I know 4

Something you know Passport number, mothers maiden name, last 4 digits of your social security, credit card number Passwords and pass-phrases Note: passwords are generally pretty weak University of Michigan: 5% of passwords were goblue Passwords used in more than one place Not just because bad ones selected: If you can remember it, then a computer can guess it Computers can often guess very quickly Easy to mount off-line attacks Easy countermeasures for on-line attacks 5

Passwords (cont.) Entropy vs. memorability The more complex a password the harder it is to guess...... and the harder it is to remember. Thus, we write them down. Preventing online attacks Tracking bad guesses and locking account Slowing after each guess Problems here? Preventing offline attacks Hashing, salting passwords Protected Storage Q: password policies: setting standards helpful? 6

Password Security Who is an adversary? What are the threats? What are the vulnerabilities? Username, Password User Server Y/N 7

Attack How does the attack work? Passive attack User Username, Password Y/N Router Server 8

Not my system Did systems really work this way? A slew of them rlogin, telnet, ftp, etc. Solutions Secure communication of passwords Cryptographic protocols: SSL, SSH What about other places where the password is available? on computer on paper 9

Password Storage Store password as a hash of its value Originally stored in /etc/passwd file Not in the clear Hash function: cryptographic Like a checksum One-way function: Using output H(x) cannot find x Collision-free function: Highly unlikely that H(x)=H(y) if x not equal y Problems Think about threats and vulnerabilities? 10

Password Cracking Attacker can access the hashed password Can guess and test passwords offline Called password cracking Lots of help John the Ripper How well do these work? 11

Password Cracking We ran John the Ripper on CSE authentications 3500 in all In first hour, 25% were recovered About half of these due to dictionary attacks But, half using other heuristics and brute force Over 5 days, 35% were recovered Steady state recovery due to brute force What happens when search get faster? 95 characters and a 8 char password (/2) = 3.3x10 15 Sounds like a long time, but... Parallelism: E.g., botnets, multiple cores Botnet of 100,000 could crack in a day by next year 12

Password Protection Access: Change the way passwords are stored /etc/shadow which is only accessible to root Length: Increase password length to 12 characters Use Entropy: Still need random passwords Problems: A common network protocol still sends password material that could be collected and cracked That is what we used, not /etc/shadow How many 12 char passwords can you remember? Password generation is not well-thought out Could use pwgen or others 13

Password Policies One PSU studentʼs opinion First of all why regulate studentʼs password security? It should be up to the student to change his or her password if he or she chooses to do so. Of someone wishes to share his or her password with someone else, let them. Itʼs obvious that the whole ordeal is meant to show the administrationʼs depth of control over the student population. 14

Other Password Problems Often social factors are more of a problem Social Engineering Share passwords shoulder surfing Post-its Internet How many different passwords can you have? Same one for every server? Phishing sites Trick you into revealing your password 15

Something your have Tokens (transponders, ) Speedpass, EZ-pass Smartcards Digital Certificates (used by Websites to authenticate themselves to customers) More on this later 16

Two-Factor Authentication Combine what you know (e.g., passwords) with what you have Example Grade entry Requires password And RSA SecurID value Smartcard and PIN 17

Something your are Biometrics measure some physical characteristic Fingerprint, face recognition, retina scanners, voice, signature, DNA Can be extremely accurate and fast Active biometrics authenticate Passive biometrics recognize What is the fundamental problem? Revocation lost fingerprint? Great for physical security, generally not feasible for online systems Definitely will need a second factor 18

Take Away Authentication is a fundamental security mechanism Practical methods are in broad use Have limited effectiveness Need support of cryptography What weʼll discuss next week 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback