User authentication:

Similar documents
Authentication. Administrative VM login credentials. September 8, CentOS-6.4 root

Protection in General-purpose Operating Systems

YubiKey Mac Operating System Login Guide

Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts. Jesse Stengel The University of Arizona

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

HOST Authentication Overview ECE 525

YUBIKEY SET-UP AND USE

Authentication Technologies

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

YubiKey PIV Manager User's Guide

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

F-Secure SSH and OpenSHH. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Systems Programming. COSC Software Tools. Systems Programming. High-Level vs. Low-Level. High-Level vs. Low-Level.

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

CSI 402 Lecture 11 (Unix Discussion on Files continued) 11 1 / 19

Stuart Hall ICTN /10/17 Advantages and Drawbacks to Using Biometric Authentication

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

YubiKey Personalization Tool. User's Guide

Embracing the Phone as a Token What You Need To Know Andy Kemshall Co-Founder

Authentication KAMI VANIEA 1

BIOMETRIC MECHANISM FOR ONLINE TRANSACTION ON ANDROID SYSTEM ENHANCED SECURITY OF. Anshita Agrawal

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

ssh and handson Matsuzaki maz Yoshinobu 1

Key File Generation. November 14, NATIONAL STUDENT CLEARINGHOUSE 2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171

CS 33. Files Part 2. CS33 Intro to Computer Systems XXI 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

CESecure Quick Start Guide

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

CMS-i First Time Activation User Guide

Connecting to the NJITSecure wireless network.

CS530 Authentication

U3 Encryption Utility User Guide

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Codebook. Codebook for OS X Introduction and Usage

UNIX input and output

Biometrics problem or solution?

ConnectUPS-X / -BD /-E How to use and install SSL, SSH

Evaluating Alternatives to Passwords

Device LinkUp Manual. Android

CIT 480: Securing Computer Systems. Authentication

Homework #1: SSH. Step 1: From the start button (lower left hand corner) type Secure. Then click on the Secure Shell File Transfer Client.

AT&T Global Network Client for Mac User s Guide Version 2.0.0

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

AT&T Global Network Client for Mac User s Guide Version 1.7.3

Kerberos-enabled applications. Core services for UNIX shell programs and applications. Kerberos environment. Centrify DirectControl Service Library

프로세스간통신 (Interprocess communication) i 숙명여대창병모

Raspberry Pi Setup Tutorial

Verizon Registration Process:

User Authentication. Modified By: Dr. Ramzi Saifan

Device LinkUp User Manual OS X

Creating a Yubikey MFA Service in AWS

When the player powers up you will first see a CeeNee loading screen followed by the Orchid screen seen below.

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

ECE112 - Lab 6. Purpose. Parts/tools needed: Make sure we have a properly working environment

Congratulations! You just ordered IdentaMaster software package featuring Biometric login, File/Folder Encryption and Entire Drive Encryption.

WinDSX New Installations

Lab 0: Intro to running Jupyter Notebook on a Raspberry Pi

CS 161 Computer Security

Remote Access to Unix Machines

SSH Algorithms for Common Criteria Certification

How to SSH to nice.fas.harvard.edu from Windows

User Authentication. Modified By: Dr. Ramzi Saifan

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

How to Secure SSH with Google Two-Factor Authentication

EOH-SASOL - Setup Sasol Mobile Express (Client)

YubiHSM 2 for ADCS Guide. Securing Microsoft Active Directory Certificate Services with YubiHSM 2

User manual. MiniKiosk II

Using the Microsoft Remote Desktop on non-windows devices

CS Operating Systems Lab 3: UNIX Processes

Author A.Kishore/Sachin WinSCP

Authentication Objectives People Authentication I

Remote Access VPN Setup

I/O OPERATIONS. UNIX Programming 2014 Fall by Euiseong Seo

Florence Blanc-Renaud Senior Software Engineer - Identity Management - Red Hat

SmartCVS Tutorial. Starting the putty Client and Setting Your CVS Password

Verizon Registration Process:

RHS EPCS Webinar 1 of 3

SSH Communications Tectia 6.4.5

User guide Handelsbanken s card reader

Jackson State University Department of Computer Science CSC / Computer Security Fall 2013 Instructor: Dr. Natarajan Meghanathan

User Manual: SuisseID Signing Service by QuoVadis

I/O OPERATIONS. UNIX Programming 2014 Fall by Euiseong Seo

ReACT New User Setup, Password Reset and Account Unlock Instructions

BSD-BSS system user guide

Integration tool user manual

The Discovery Wizard now provides the ability to create SNMP Setups that can be selected for individual discoveries. An SNMP Setup specifies:

Login Defender. Quick Guide. Copyright by Cryptware di Ugo Chirico

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

NEXT BIOMETRICS NB-3020-U2 WINDOWS 10 INSTALLATION GUIDE VERSION: 1.0

Lecture 9. Authentication & Key Distribution

InfoRouter LDAP Authentication Web Service InfoRouter Version 7.5 Active Innovations, Inc. Copyright

DRACONEM RGB Touch ID Gaming Mouse Pad with Fingerprint Security

APG8205 OTP Generator

idenprotect Enrolment Walkthrough Apply Mobile

How to Build a Culture of Security

Computer Security 3/20/18

Eaget Fingerprint Flash Drive

Linux Network Administration

Setting up Your Brand New ipad for Individual Use

Transcription:

User authentication: passwords versus alternative criteria Authentication verifying identity of a user example: logging into a system example: GPG digital signature is the authentication mechanism that user s ID gets embedded in his shell/interface process authentication!= authorization authorization establishes what user can do once authenticated 1

Bigger picture - how we think of it user reads file Bigger picture - how it actually works users don t read files, processes do user runs process UID reads file program that copies one file to another #include <unistd.h> #include <sys/stat.h> #include <fcntl.h> int main() { char c; int in, out; note system calls open read write They do the file access user? isn t even mentioned in the calls in = open("file.in", O_RDONLY); out = open("file.out", O_WRONLY O_CREAT, S_IRUSR S_IWUSR); while(read(in,&c,1) == 1) write(out,&c,1); exit(0); } 2

Bigger picture - how it actually works AUTHENTICATION HERE up front, determines account for first (shell) process same account, carried forward by inheritance from shell process to this spawned one user runs process UID reads file #include <unistd.h> #include <sys/stat.h> #include <fcntl.h> int main() { char c; int in, out; note system calls open read write They do the file access user? isn t even mentioned in the calls in = open("file.in", O_RDONLY); out = open("file.out", O_WRONLY O_CREAT, S_IRUSR S_IWUSR); while(read(in,&c,1) == 1) write(out,&c,1); exit(0); } Bases for authentication something people know password something about them retina/iris fingerprint DNA voice ear face something they have smart card sim (subscriber identity module) card hardware token somewhere they are login only works at certain terminals 3

Extent of authentication one or a combination of methods may be used depending on needed degree of protection single-factor multi-factor examples system login for user account, the matching password (single-factor) system with fingerprint reader (e.g. modern laptop) for user account, the matching password and finger (2-factor) ATM transaction for bank account, the card and matching pin (2-factor) PAM* architecture 1 PAM 2 /etc/pam.d 4 PAM-aware applications (e.g., /bin/login) /lib/security 3 configuration files *Pluggable Authentication Modules PAM modules 4

Default directories and files / /etc/pam.d /lib/security /etc/security /usr/share/doc/pam-xx individual config files for each app the PAM modules, as shared library files module-specific config files for modules that need them PAM documentation Operation sequence app calls PAM (1) PAM reads app s PAM config file (2) PAM calls PAM modules as listed in the file (3) each succeeds or fails independently PAM itself succeeds or fails, depending on the modules outcomes returns its overall outcome to app (4) app proceeds (if success) or terminates (if failure) the module that evaluates passwords can be supplemented or replaced by one(s) that evaluate biometric or hard-token input instead 5

Example: hardware authentication tokens Yubico YubiKey RSA SecureID Pressing yubikey,, in Notepad yubikey is a USB keyboard device it types 44 letters whenever pressed right 32 letters left 12 letters one-time password, generated this time invariant public ID of this yubikey, generated every time 6

Good play, bad replay from pressing keyboard from pressing yubikey ykclient utility queries validation server with key from command history recall buffer 2 seconds later (one-time key, used 2 nd time, is stale) play: red client to server blue server to client replay: 7

PAM for sshd: involving yubikey in ssh logins sshd 1 PAM 2 /etc/pam.d 4 a PAM-aware application 3 sshd pam_yubico.so PAM module for yubikey specifies pam_yubico.so configuration file for sshd program Configuration details corresponds this machine s david account to the particular white yubikey I bought recently, so a valid key from that yubikey device is good for admission to this account 8

yubikey pressed here client 1 yubikey types one-time key to client PuTTY 2 client PuTTY sends key to server sshd 3 sshd passes key to pam_yubico.so 4 pam_yubico.so ships it to api.yubico.com for validation ssh login by yubikey i n c r e a s i n g t i m e s e r v e r per yubico authentication server 5 api.yubico.com returns OK to pam_yubico.so 6 pam_yubico.so returns OK to sshd 7 sshd launches shell client Construction of output cccccccvrjbc = unique public ID s t a t i c a l l y s t o r e d 00000000B3D6 = unique secret ID = unique symmetric key (for AES) d y n a m i c a l l y g e n e r a t e d cccccccvrjbc encrypt cccccccvrjbc c o n c a t e n a t e tjjneccdnuerugkclcvenbilblgkdiie output cccccccvrjbctjjneccdnuerugkclcvenbilblgkdiie 9

Authentication processing application server validation request authentication server validation response app request app response public ID serial no. secret ID d a t a b a s e symmetric key last sequence number etc application client cccccccvrjbc 00000000B3D6 179 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback