CIT 480: Securing Computer Systems. Authentication

Similar documents
CIT 380: Securing Computer Systems

Authentication and Passwords. CSC 482/582: Computer Security

Authentication Technologies

CIT 380: Securing Computer Systems

CIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies

CIT 480: Securing Computer Systems. Operating System Concepts

CIT 480: Securing Computer Systems. Putting It All Together

Processes are subjects.

Authentication System

Processes are subjects.

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CIT 470: Advanced Network and System Administration. Topics. Risk Management. Security

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

CS530 Authentication

CSC 405 Introduction to Computer Security

IS 2150 / TEL 2810 Information Security and Privacy

CIT 480: Securing Computer Systems. Incident Response and Honeypots

CIS 5373 Systems Security

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

10 userdel: deleting a user account 9. 1 Context Tune the user environment and system environment variables [3]

Datasäkerhet/Data security EDA625 Lect5

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Information Security & Privacy

Topics. Authentication System. Passwords

Authentication Objectives People Authentication I

Operating system security

CSE 265: System and Network Administration

Processes and authentication

CSC 474 Network Security. Authentication. Identification

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication. Chapter 2

Data Security and Privacy. Unix Discretionary Access Control

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Lecture 3 - Passwords and Authentication

BIOMETRIC MECHANISM FOR ONLINE TRANSACTION ON ANDROID SYSTEM ENHANCED SECURITY OF. Anshita Agrawal

User Authentication. Modified By: Dr. Ramzi Saifan

Lecture 3 - Passwords and Authentication

Chapter 5: User Management. Chapter 5 User Management

Lecture 9. Authentication & Key Distribution

User & Group Administration

Authentication Methods

User Authentication. Modified By: Dr. Ramzi Saifan

Authentication. Amit Konar Math and Computer Sc., UMSL

CS615 - Aspects of System Administration. Multiuser Fundamentals

Systems Analysis and Design in a Changing World, Fourth Edition

CNT4406/5412 Network Security

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Evaluating Alternatives to Passwords

Operating systems and security - Overview

Operating systems and security - Overview

HOST Authentication Overview ECE 525

Introduction. Ahmet Burak Can Hacettepe University. Information Security

Lecture 9 User Authentication

Keys and Passwords. Steven M. Bellovin October 17,

Introduction to Security

MANAGING THE NONUNIFORM BEHAVIOUR OF TERMINALS AND KEYBOARDS. : WHEN THINGS GO WRONG

COMPGA12 1 TURN OVER

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Copyright

Unit-VI. User Authentication Mechanisms.

User authentication:

CPET 581 E-Commerce & Business Technologies. References

Introduction to Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Biometrics. Something you are A characteristic of the body Presumed unique and invariant over time. Steven M. Bellovin February 5,

Discovering Computers Living in a Digital World

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Passwords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

O/S & Access Control. Aggelos Kiayias - Justin Neumann

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Computer Security: Principles and Practice

MDR-1 Mobile Document Reader

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

What is RFID, where is it being used and why? Security implications of RFID Why is it being used to secure passports? The methodology used to asses

TPM v.s. Embedded Board. James Y

SSH. Partly a tool, partly an application Features:

Passwords. EJ Jung. slide 1

Chapter 6: Digital Certificates Introduction Authentication Methods PKI Digital Certificate Passing

User accounts and authorization

Pre-Assessment Answers-1

Introduction to Information & Communication Technologies

MSc-IT 1st semester Fall

Unix, History

Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

Operating system security models

Introduction to Computer Security

Three Level Authentication for Student Attendance Management System

CIT 480: Securing Computer Systems

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

CSE 565 Computer Security Fall 2018

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

Security. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

Transcription:

CIT 480: Securing Computer Systems Authentication

Topics 1. Digital Identity and Groups 2. Authentication 3. Formal Definition 4. Authentication Types 5. Tokens 6. Biometrics 7. UNIX Authentication

Digital Identity A digital identity is data that uniquely describes a subject, which may be a person, process, or machine. Personal Identities Username User ID E-mail address Machine Identities Inventory number IP address SSL certificate

Groups and Roles Definitions A group is a set of users. A role is a set of users with a common task. In practice, little difference on most systems. Purpose Groups simplify access control by reducing the number of subjects.

Authentication Authentication is the act of verifying than an entity is who or what they claim they are. Authentication can be based on 1. What the entity knows (e.g., passwords) 2. What the entity has (e.g., access card) 3. What the entity is (e.g., fingerprints) Or a combination of two or more of 1..3, which is known as Multi Factor Authentication (MFA).

Importance of Authentication Access Control Most systems base access rights on identity of principal executing the process. Accountability Logging and auditing functions. Need to track identity across account/role changes (e.g., su, sudo).

Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A C generate C from A L: set of authentication functions l: A C {T,F} verify identity S: set of selection functions enable entity to create or alter A or C

What You Know (Passwords) Example: Authenticate with 8-character alphanumeric password. System compares against stored MD5 hash. A = [A-Za-z0-9]{8} C = 22-char Base64 strings F = { MD5 } L = { MD5(A)==C }

What You Have (Tokens) Disconnected tokens Connected tokens Wireless Smart cards RFID used for toll collection Online banking Digipass

Token Information Types Static Password Token: contain a physically hidden password that is transmitted for each authentication. Example: car keys. Synchronous Dynamic Token: Password changes every N seconds. Time synchronized with server. Asynchronous Dynamic Token: One-time password generated algorithmically. Challenge-Response Token: Server sends random challenge to token; device computes response with a cryptographic algorithm.

RFID Radio Frequency Identification Types of Tags Passive: use power from reader signal Active: internal power source Applications Product tracking (EPC barcode replacement) Transportation payment Automotive (embedded in car keys) Passports Human implants EPC RFID Tag

What You Are (Biometrics) Identification by human characteristics: 1. Physiological 2. Behavioral A biometric characteristic should be: 1. universal: everyone should have it 2. unique: no two people should share it 3. permanent: it should not change with time 4. quantifiable: it must be practically measurable

Biometric System Example: User authenticates with fingerprint. System compares to stored fingerprint template. A = { user fingerprints } C = { digital fingerprint templates } F = { scanner + analog->digital } L = { tunable similarity function }

How Biometrics Work

Types of Biometrics

Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised.

Eye Biometrics Iris Scan Lowest false accept/reject rates of any biometric. Person must hold head still and look into camera. Retinal Scan Cataracts and pregnancy change retina pattern. Lower false accept/reject rates than fingerprints. Intrusive and slow.

Measurement Outcomes Actual Identity Valid User Adversary Biometric Measurement Valid User Adversary True Positive False Positive False Negative True Negative

False Positive/Negative Tradeoff Errors False Negative Rate False Positive Rate Sensitivity

Biometrics can be compromised. Unique identifiers, not secrets. You can change a password. You can t change your iris scan. Examples: You leave your fingerprints every place. It s easy to take a picture of your face. Other compromises. Use faux ATM-style devices to collect biometrics. Obtain all biometric templates from server.

UNIX Authentication UNIX identifies user with a UID Username is for humans, UID for computers. 15-bit to 32-bit unsigned integer. UID=0 is the superuser, root. Identity and authentication data stored in /etc/passwd /etc/shadow /etc/group

/etc/{passwd,shadow} Central file(s) describing UNIX user accounts. /etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days til change allowed. Days `til change required. Expiration warning time. Expiration date. student:x:1000:1000:example User,1212:/home/student:/bin/bash student:$1$w/uuktlf$otssvxtsn/xjzuogfelnz0:13226:0:99999:7:::

Groups and GIDs GIDs are 32-bit non-negative integers. Each user has a default GID. File group ownership set to default GID. Temporarily change default GID: newgrp. Groups are described in /etc/group Users may belong to multiple groups. Format: group name, pw, GID, user list. wheel:x:10:root,waldenj,bergs

Superuser Powers Superuser can Read any file. Modify any file. Add / remove users. Become any user. Kill any process. Reprioritize processes. Configure network. Set date/time. Shutdown / reboot. Superuser can t Change read-only filesystem. Decrypt hashed passwords. Modify NFS-mounted filesystems. Read or modify SELinux protected files.

Switching Users with su > id uid=102(wj) gid=102(wj) groups=102(wj) > su Password: # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm) # su john john$ id uid=1995(john) gid=1995(john) groups=1995(john) john$ exit # exit > id uid=102(wj) gid=102(wj) groups=102(wj)

Real and Effective UIDs Real UID The UID matching the username you logged in as. Effective UID The UID that is checked for access control. The su command changes your EUID. SETUID programs A SETUID program executes with an EUID of the owner of the program instead of yours. /usr/bin/passwd is SUID root. Why?

Key Points 1. Access control and audit are based on identity. 2. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user s identity 1. something you know (passwords) 2. something you have (tokens) 3. something you are (biometrics) 4. somewhere you are (location) 3. UNIX authentication Usernames, UIDs, groups, GIDs Storage: /etc/{passwd,shadow} and /etc/group Real and effective UIDs SETUID mechanism

References 1. Ross Anderson, Security Engineering, 2 nd edition, Wiley, 2008. 2. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 3. DigitalPersona, http://www.digitalpersona.com/company/news/presskit.php, 2006. 4. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd Edition, O Reilly, 2003. 5. Ben Mook, Md. pilot program tracks drivers speed, location via cell phones, The Daily Record, October 21, 2005, http://www.mddailyrecord.com/pub/5_398_friday/businessnews/172883-1.html 6. Bruce Schneier, Biometrics: Truths and Fictions, Cryptogram, http://www.schneier.com/crypto-gram-9808.html#biometrics, 1998. 7. Bruce Schneier, The Curse of the Secret Question, http://www.schneier.com/essay-081.html, 2005. 8. Orville Wilson, Privacy & Identity - Security and Usability: The viability of Passwords & Biometrics, http://facweb.cs.depaul.edu/research/vc/ciplit2004/ppt/orville_wilson.ppt, 2004.

Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share to copy and redistribute the material in any medium to Adapt to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback