Information Security & Privacy

Similar documents
Authentication. Murat Kantarcioglu

Authentication. Amit Konar Math and Computer Sc., UMSL

CSE509: (Intro to) Systems Security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

User Authentication. Modified By: Dr. Ramzi Saifan

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

CSE 565 Computer Security Fall 2018

User Authentication. Modified By: Dr. Ramzi Saifan

Lecture 14 Passwords and Authentication

Computer Security: Principles and Practice

Topics. Authentication System. Passwords

Authentication. Chapter 2

CSC 474 Network Security. Authentication. Identification

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Lecture 9 User Authentication

CS530 Authentication

Authentication Objectives People Authentication I

User Authentication. Daniel Halperin Tadayoshi Kohno

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Chapter 3: User Authentication

Authentication CS 136 Computer Security Peter Reiher January 22, 2008

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

HY-457 Information Systems Security

Authentication. Tadayoshi Kohno

Identification Schemes

Key Escrow. Desirable Properties

CNT4406/5412 Network Security

COMPUTER NETWORK SECURITY

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

User Authentication Protocols Week 7

ECEN 5022 Cryptography

Operating systems and security - Overview

Operating systems and security - Overview

Passwords. EJ Jung. slide 1

L7: Authentication. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

BIOMETRIC MECHANISM FOR ONLINE TRANSACTION ON ANDROID SYSTEM ENHANCED SECURITY OF. Anshita Agrawal

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

User Authentication Protocols

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

HOST Authentication Overview ECE 525

User Authentication. E.g., How can I tell you re you?

Sumy State University Department of Computer Science

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

Lecture 3 - Passwords and Authentication

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication

MODULE NO.28: Password Cracking

Password authentication How passwords are compromised How to protect and choose passwords Other types of authentication Biometrics

CSC 405 Introduction to Computer Security

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 19

Information Security CS 526

User Authentication and Passwords

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Authentication KAMI VANIEA 1

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Lecture 3 - Passwords and Authentication

HumanAUT Secure Human Identification Protocols

The Need for Biometric Authentication

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Lecture 9. Authentication & Key Distribution

Systems Analysis and Design in a Changing World, Fourth Edition

CIT 380: Securing Computer Systems

5-899 / Usable Privacy and Security Text Passwords Lecture by Sasha Romanosky Scribe notes by Ponnurangam K March 30, 2006

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Integrated Access Management Solutions. Access Televentures

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

===============================================================================

In this unit we are continuing our discussion of IT security measures.

Microsoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]

(2½ hours) Total Marks: 75

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13

Cryptography Math/CprE/InfAs 533

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

CSCI 667: Concepts of Computer Security

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

A Smart Card Based Authentication Protocol for Strong Passwords

Security Flaws of Cheng et al. s Biometric-based Remote User Authentication Scheme Using Quadratic Residues

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CS 161 Computer Security

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Garantía y Seguridad en Sistemas y Redes

Biometrics. Overview of Authentication

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CIT 480: Securing Computer Systems. Authentication

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Intruders, Human Identification and Authentication, Web Authentication

Information Security CS 526

Transcription:

IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 8 Feb 24, 2015 Authentication, Identity 1

Objectives Understand/explain the issues related to, and utilize the techniques Authentication and identification Passwords 2

Authentication and Identity 3

What is Authentication? Authentication: Binding identity and external entity to subject How do we do it? Entity knows something (secret) Passwords, id numbers Entity has something Badge, smart card Entity is something Biometrics: fingerprints or retinal characteristics Entity is in someplace Source IP, restricted area terminal 4

Authentication System: Definition A: Set of authentication information used by entities to prove their identities (e.g., password) C: Set of complementary information used by system to validate authentication information (e.g., hash of a password or the password itself) F: Set of complementation functions (to generate C) f : A C Generate appropriate c C given a A L: set of authentication functions l: A C { true, false } verify identity S: set of selection functions Generate/alter A and C e.g., commands to change password 5

Authentication System: Passwords Example: plaintext passwords A = C = alphabet* f returns argument: f(a) returns a l is string equivalence: l(a, b) is true if a = b Complementation Function Null (return the argument as above) requires that c be protected; i.e. password file needs to be protected One-way hash function such that Complementary information c = f(a) easy to compute -1 f (c) difficult to compute 6

Passwords Example: Original Unix A password is up to eight characters each character could be one of 127 possible characters; A contains approx. 6.9 x 10 16 passwords Password is hashed using one of 4096 functions into a 11 character string 2 characters pre-pended to indicate the hash function used C contains passwords of size 13 characters, each character from an alphabet of 64 characters Approximately 3.0 x 10 23 strings Stored in file /etc/passwd (all can read) 7

Authentication System Goal: identify the entities correctly Approaches to protecting Hide enough information so that one of a, c or f cannot be found Make C readable only to root Make F unknown Prevent access to the authentication functions L root cannot log in over the network 8

Attacks on Passwords Dictionary attack: Trial and error guessing Type 1: attacker knows A, F, C Guess g and compute f(g) for each f in F Type 2: attacker knows A, l l returns True for guess g Counter: Difficulty based on A, Time Probability P of breaking a password G be the number of guesses that can be tested in one time unit A TG/P Assumptions: time constant; all passwords are equally likely 9

Password Selection Random Depends on the quality of random number generator; Size of legal passwords 8 characters: humans can remember only one Pronounceable nonsense Based on unit of sound (phoneme) Easier to remember User selection (proactive selection) Controls on allowable At least 1 digit, 1 letter, 1 punctuation, 1 control character Obscure poem verse 10

Password Selection Reusable Passwords susceptible to dictionary attack (type 1) Salting can be used to increase effort needed makes the choice of complementation function a function of randomly selected data Random data is different for different user Authentication function is chosen on the basis of the salt Many Unix systems: A salt is randomly chosen from 0..4095 Complementation function depends on the salt 11

Password Selection Password aging Change password after some time: based on expected time to guess a password Disallow change to previous n passwords Fundamental problem is reusability Replay attack is easy Solution: Authenticate in such a way that the transmitted password changes each time 12

Authentication Systems: Challenge-Response Pass algorithm authenticator sends message m subject responds with f(m) f is a secret encryption function Example: ask for second input based on some algorithm 13

Authentication Systems: Challenge-Response One-time password: invalidated after use f changes after use S/Key uses a hash function (MD4/MD5) User chooses an initial seed k Key generator calculates k 1 = h(k), k 2 = h(k 1 ), k n = h(k n-1 ) Passwords used in the order p 1 = k n, p 2 = k n-1,, p n =k 1 Suppose p 1 = k n is intercepted; the next password is p 2 = k n-1 Since h(k n-1 ) = k n, the attacker needs to invert h to determine the next password 14

Authentication Systems: Biometrics Used for human subject identification based on physical characteristics that are tough to copy Fingerprint (optical scanning) Camera s needed (bulky) Voice Speaker-verification (identity) or speaker-recognition (info content) t) Iris/retina patterns (unique for each person) Laser beaming is intrusive Face recognition Facial features can make this difficult Keystroke interval/timing/pressure 15

Attacks on Biometrics Fake biometrics fingerprint mask copy keystroke pattern Fake the interaction between device and system Replay attack Requires careful design of entire authentication system 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback