Authentication Objectives People Authentication I

Similar documents
CSC 474 Network Security. Authentication. Identification

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

In this unit we are continuing our discussion of IT security measures.

User Authentication. Modified By: Dr. Ramzi Saifan

User Authentication. Modified By: Dr. Ramzi Saifan

CSE 565 Computer Security Fall 2018

Password. authentication through passwords

Lecture 9 User Authentication

Chapter 3: User Authentication

CS530 Authentication

MODULE NO.28: Password Cracking

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CSC 405 Introduction to Computer Security

Chapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.

Operating systems and security - Overview

Operating systems and security - Overview

Computer Security: Principles and Practice

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

Unit-VI. User Authentication Mechanisms.

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Authentication systems. Authentication methodologies. User authentication. Authentication systems (auth - april 2011)

Passwords. EJ Jung. slide 1

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Information Security & Privacy

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Security and Authentication

Lecture 14 Passwords and Authentication

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

COMPUTER NETWORK SECURITY

Authentication. Chapter 2

Authentication CS 136 Computer Security Peter Reiher January 22, 2008

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

Computer Security 3/20/18

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

HOST Authentication Overview ECE 525

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

TABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure

User Authentication Protocols

User Authentication Protocols Week 7

Authentication Technology Alternatives. Mark G. McGovern Chief Technologist Smart Cards, Crypto, Stego, PKI Lockheed Martin

Evaluating Alternatives to Passwords

CS System Security Mid-Semester Review

5. Authentication Contents

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Authentication, Passwords. Robert H. Sloan

CNT4406/5412 Network Security

O/S & Access Control. Aggelos Kiayias - Justin Neumann

Sumy State University Department of Computer Science

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

COMPUTER PASSWORDS POLICY

User Authentication and Passwords

Stuart Hall ICTN /10/17 Advantages and Drawbacks to Using Biometric Authentication

ECEN 5022 Cryptography

Keystroke Dynamics: Low Impact Biometric Verification

Biometric Device Assistant Tool: Intelligent Agent for Intrusion Detection at Biometric Device using JESS

Access Controls. CISSP Guide to Security Essentials Chapter 2

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

Undergraduate programme in Computer sciences

Biometric Security Roles & Resources

Password Policy Best Practices

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Lecture 3 - Passwords and Authentication

Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution

INTUS 1600PS Palm Vein Authentication

An Overview of Biometric Image Processing

Information Security CS 526

Hands-On Network Security: Practical Tools & Methods. Hands-On Network Security. Roadmap. Security Training Course

Hands-On Network Security: Practical Tools & Methods

Radius, LDAP, Radius, Kerberos used in Authenticating Users

PASSWORD POLICY. Policy Statement. Reason for Policy/Purpose. Who Needs to Know This Policy. Website Address for this Policy.

Computer Security. 10. Biometric authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Computer Security 4/15/18

Syllabus: The syllabus is broadly structured as follows:

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Intruders, Human Identification and Authentication, Web Authentication

Introduction to Security and User Authentication

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 19

Authentication Methods

Lecture 3 - Passwords and Authentication

CSCI 667: Concepts of Computer Security

Authentication. Tadayoshi Kohno

New Era of authentication: 3-D Password

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 10, April 2014

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Computer Security (EDA263 / DIT 641)

Fundamentals of Linux Platform Security

Security Requirements for Crypto Devices

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Intruders and Intrusion Detection. Mahalingam Ramkumar

Password authentication How passwords are compromised How to protect and choose passwords Other types of authentication Biometrics

User Authentication. E.g., How can I tell you re you?

User Authentication. Tadayoshi Kohno

Biometrics problem or solution?

Transcription:

Authentication Objectives People Authentication I Dr. Shlomo Kipnis December 15, 2003 User identification (name, id, etc.) User validation (proof of identity) Resource identification (name, address, etc.) Resource validation (proof of identity) Access control (permission lists) Monitoring (online, offline) Auditing (logs, books) Other... Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 1 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 2 Authentication Considerations Authentication Methods Accuracy Level Validation Time Processing Power Operating Costs System Reliability Ease of Forging Ease of Use Portability Transferability Revocability 1. Something the user knows: Memorable Data passwords, pass phrases, personal information 2. Something the user is/has: Biometrics finger prints, palm geometry, retina scan, iris scan, face recognition, signature characteristics, typing characteristics, DNA recognition 3. Something the user holds: Tokens ID card, paper card, key, smart card, crypto token, etc. Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 3 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 4 Passwords (I) Passwords (II) Desirable properties: Password should be easy to remember Password should be hard to guess Problem: Cannot achieve desirable two properties above with (current) humans Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 5 Password lengths at some university (from a study in the early 1990 s): Length Number Percentage 1 55 0.4 2 87 0.6 3 212 2 4 449 3 5 1260 9 6 3035 22 7 2917 21 8 5772 42 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 6

Passwords (III) Passwords (IV) Common situation: Short passwords (between 4 and 8 characters) English words (few thousands) Names (few hundreds) Personal data (easy to obtain) Combinations of above (easy to compute) Passwords are written somewhere (easy to find) Password in many systems (break one break all) Attacks on passwords: Password guessing Searching for passwords Online dictionary attacks Offline password cracking Sniffing communication lines Social engineering Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 7 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 8 Passwords (V) How/where passwords are Stored: Not hidden and not access-protected (some PC s) Hidden but not access-protected (some appliances) Access-protected (Unix, NT, other OS) Encrypted (but where is the key stored) Hashed (Unix, NT, other OS) Protected server (distributed systems) Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 9 Passwords (VI) Unix salt mechanism: When user A opens an account, a password pw A is defined, and a random 12-bit salt A is selected The Unix password file stores both salt A and the value of h(pw A, salt A ) at the entry for user A When a user attempts to log on as A and types some pw, the system takes salt A from A s entry in the file, computes h(pw, salt A ), and compares the result to what is stored in the file. A match allows logging on. This scheme makes online dictionary attacks infeasible (since each password can be hashed in 4096 = 2 12 ways). This scheme is not resilient against offline password cracking. Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 10 Passwords (VII) Passwords (VIII) Password breaking recipes: Try default passwords used in standard system accounts Exhaustively search all short passwords Try words from online dictionaries Collect and try data that is related to users (user names, family member names, birth dates, identification numbers, etc.) Try common combinations of user data (e.g., reverse writing, adding digits at end of passwords, etc.) Look for written passwords Observe password typing patterns Password breaking recipes (continued): Use a Trojan horse to steal users passwords Eavesdrop to communication lines Get access to passwords files Analyze the (hashed / encrypted) passwords file Get from machine to machine with OS facilities and/or with known passwords Pretend to be a legitimate user and ask the administrator to issue you a new password Pretend to be a legitimate administrator and ask the user to disclose the password Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 11 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 12

Passwords (IX) System recommendations: Educate users of importance of password security Monitor user accounts for suspicious behavior Lock account after a number of unsuccessful login attempts Keep password file encrypted or hashed Use password strengthening mechanisms (e.g. Unix salt) Keep password files in secure locations (directories in the file system, special servers, etc.) Request users to change passwords frequently Run password cracking tests and disallow weak passwords Use passwords only as one factor in authentication process Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 13 Passwords (X) Password selection recommendations: Use combinations of letters, upper-case, lower-case, digits, other characters Change passwords frequently Use different passwords in different systems Use random passwords (8-10 characters long) Use readable passwords (16-20 characters) Use pass-phrases (30-40 character sentences) Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 14 Passwords (XI) Password Administration Scenario: Admin: Passwords must be changed every 90 days User: Changes the password to the same password Admin: Check that password is changed to a new one User: Changes the password and changes again to the old one Admin: Tracks last n passwords and checks that password is new User: Changes the password n+1 times and returns to old one Admin: Disallows more than one password change per day User: Changes to the same password with 1, 2, 3, at the end Admin: Disallows passwords that are too similar to old ones User: Invents a random password and writes it down on paper Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 15 Passwords (XII) Summary: Accurate negative Not accurate positive Secret user data Secret server data Easy to break Simple to operate Portable Transferable Not easily revocable Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 16 Biometrics (I) Biometrics consists of checking physical, biological or physiological properties of a person Certain properties are highly unique to each person Need to select properties that are: Easy to detect Provide high levels of accuracy Need to maintain database of biometrics parameters Biometrics (II) Finger Prints: 2-D geometry 3-D geometry Liveliness checks (pulse, temperature, etc) Capacitance / resistance checks Relatively accurate Needs maintenance Acceptance level is increasing Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 17 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 18

Biometrics (III) Biometrics (IV) Palm Geometry: 2-D geometry Finger lengths Finger widths Gaps between fingers Good accuracy Low maintenance High acceptance Retina Scan: 2-D map of blood vessels Blood vessels are warmer than surrounding tissues Detected by IR radiation Expensive (special equipment) Invasive (low acceptance) Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 19 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 20 Biometrics (V) Biometrics (VI) Iris Scan: 2-D map of iris texture Detection by camera Relatively accurate Inexpensive Non-invasive (high acceptance) Face Recognition: 2-D image Bone-muscle model Under-skin thermal radiation Detection by camera / IR Good accuracy Non-invasive Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 21 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 22 Biometrics (VII) Biometrics (VIII) Signature Characteristics: 2-D image Dynamic signature Online test Speed, pressure, angles, etc. Typing Characteristics: Dynamic typing parameters Speed, gaps, letter patterns Online test Could be tacit Low maintenance High acceptance Low maintenance High acceptance Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 23 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 24

Biometrics (IX) Biometrics (X) DNA Recognition: DNA matching against known patterns Biometric System Components: Sample could be taken from external tissues Digitized Sample Sample Query Biometric Sample Sensor Command DB Expensive (equipment) Conceived as invasive Not widely used (yet) Device Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 25 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 26 Biometrics (XI) Biometrics (XII) Accuracy levels: FAR False Accept Ratio FRR False Reject Ratio Biometrics Summary: Not totally accurate (positive & negative) Private data (not secret data) Accuracy Level FRR Easy to steal data Costly to operate Portable Non-transferable FAR Measurement Complexity Non-revocable Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 27 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 28 Tokens (I) Tokens (II) Physical Tokens: Physical keys (to physical locks) Paper/plastic cards (ID, passwords, procedures, etc.) Smart cards (crypto keys, algorithms, contact or contact-less, etc.) Assist in opening / remembering / computing Tokens Summary: Highly accurate (positive & negative) Secret data / code Some are hard to forge Some are expensive Simple but costly Portable Some are transferable Some are revocable Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 29 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 30

One-Time Passwords (I) Password Lists: User has card with N one-time passwords stores password list Need to administer after N uses One-Time Passwords (II) S/Key: Card stores seed X 0 of a hash chain of length N stores end of hash chain: X N = H (N) (X 0 ) User submits password X i = H (N-i) (X 0 ) at use i Need to administer after N uses PW 1 PW 2... PW N PW i PW 1 PW 2... PW N Hash Engine (X 0, N) X i = H (N-i) (X 0 ) X N Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 31 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 32 Crypto Tokens (I) Crypto Tokens (II) Token types: Lists of one-time-passwords Hash Engines for S/Key-like protocols Crypto keys and algorithms Clocks and time-synchronization algorithms Password / PIN for token enabling / disabling Password / PIN can be part of protocol Cryptographic Time-Challenge-Response Tokens: User enters PIN to enable token Token computes one-time-password based on: secret key, current time, user PIN verifies one-time-password PIN key clock PW = H( key, clock, PIN ) key clock PIN Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 33 Dr. Shlomo Kipnis Fall 2003/2004 Hebrew University 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback