Intruders, Human Identification and Authentication, Web Authentication

Similar documents
Intruders and Intrusion Detection. Mahalingam Ramkumar

Intruders and Intrusion Detection. Mahalingam Ramkumar

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

User Authentication and Passwords

Computer Security: Principles and Practice

Raj Jain. Washington University in St. Louis

Access Controls. CISSP Guide to Security Essentials Chapter 2

Systems and Network Security (NETW-1002)

CS System Security 2nd-Half Semester Review

Chapter 3: User Authentication

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Cryptography and Network Security. Chapter 9 Intruders. Lectured by Nguyễn Đức Thái

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

CSE 565 Computer Security Fall 2018

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Lecture 9 User Authentication

COMPUTER NETWORK SECURITY

5. Authentication Contents

Computer Security: Principles and Practice

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Lecture 1: Introduction to Security Architecture. for. Open Systems Interconnection

Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Web Security, Summer Term 2012

Web Security, Summer Term 2012

CSC 474 Network Security. Authentication. Identification

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Software Development & Education Center Security+ Certification

Authentication Methods

HOST Authentication Overview ECE 525

(2½ hours) Total Marks: 75

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Security+ SY0-501 Study Guide Table of Contents

Post-Class Quiz: Access Control Domain

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

COMPUTER NETWORK SECURITY

CS System Security Mid-Semester Review

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

Introduction. Ahmet Burak Can Hacettepe University. Information Security

CNT4406/5412 Network Security

Authentication. Steven M. Bellovin January 31,

Lecture 3 - Passwords and Authentication

: BIOMETRIC AUTHENTICATION TOOL FOR USER IDENTIFICATION

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

Syllabus: The syllabus is broadly structured as follows:

Lecture 3 - Passwords and Authentication

MODULE NO.28: Password Cracking

Hans Joachim Jelena Mirkovic Ivica Milanovic Øyvind Bakkeli

Firewalls, Tunnels, and Network Intrusion Detection

Home Computer and Internet User Security

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Authentication Objectives People Authentication I

Authentication. Steven M. Bellovin September 26,

Passwords. EJ Jung. slide 1

Chapter 3 Process Description and Control

AIT 682: Network and Systems Security. Instructor: Dr. Kun Sun

Sumy State University Department of Computer Science

Authentication. Chapter 2

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Breaking FIDO Yubico. Are Exploits in There?

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

CompTIA Security+ Certification

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

CS 134: Elements of Cryptography and Computer + Network Security Winter sconce.ics.uci.edu/134-w16/ CS 134 Background

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Information Security Identification and authentication. Advanced User Authentication II

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 10 Security Essentials

CHAPTER 8 SECURING INFORMATION SYSTEMS

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Chapter 19 Security. Chapter 19 Security

Integrated Access Management Solutions. Access Televentures

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Verteilte Systeme (Distributed Systems)

HY-457 Information Systems Security

CS November 2018

PASSWORD POLICIES: RECENT DEVELOPMENTS AND POSSIBLE APPRAISE

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

CompTIA Security+ (Exam SY0-401)

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Ethical Hacking and Prevention

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Lecture 9. Authentication & Key Distribution

Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security

MLR Institute of Technology

Information Security CS 526

Transcription:

Intruders, Human Identification and Authentication, Web Authentication David Sanchez Universitat Pompeu Fabra 06-06-2006

Lecture Overview Intruders and Intrusion Detection Systems Human Identification and Authentication Web authentication

Intruders

Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence may use compromised system to launch other attacks awareness of intruders has led to the development of CERTs

Intrusion Techniques aim to gain access or increase privileges on a system key goal often is to acquire passwords then exercise access rights of owner basic attack methodologies information gathering and guessing privilege escalation eavesdropping

Intrusion Detection System (IDS) We ve seen prevention security so far A preventive secure system will inevitably have security failures so need also to detect intrusions IDS assume intruder will behave differently to a legitimate user but will have imperfect distinction between

Approaches to Intrusion Detection statistical anomaly detection threshold profile based rule-based detection anomaly penetration identification

Audit Records fundamental tool for intrusion detection native audit records detection-specific audit records

Honeypots decoy systems to lure attackers are filled with fabricated information instrumented to collect detailed information on attackers activities single or multiple networked systems

Human Identification and Authentication Challenge: security vs. usability

Definitions Identification Authentication

Human Authentication Categories What you know What you possess What you are

What you know: Passwords Method User inserts ID + psw System compares inserted psw against stored Successful match grants access Benefits Users and administrators have been using it for long period: trust and usability Effective (if properly managed) Limitations Psw randomness (security) vs. easy remembering Giving passwords away: allows access to restricted users, social engineering User may forget to log out session Management overhead

Attacks against Password Authentication Dictionary Attack Offline/Online Password Guessing Password Capture

Improving Password Security User education Password generators User-selected + reactive/proactive checking Limits on log-in attempts Password attributes Changing passwords Technical protection of the password file

What you possess: tokens Usually combined with what you know, also with what you are Typical method User inserts token + PIN PIN stored in token, system stores token ID System authenticates token and user Successful match grants access Categories Memory tokens Smart cards

Memory Tokens Memory token Stores information Reader/writer control reading/writing data to/from token Usually coupled with PIN PIN-less token usually for physical access control Benefits More secure than psw Memory card is inexpensive to produce Session logs out asa token is removed Limitations Requires special reader Token loss User disatisfaction

Smart Tokens Smart token Incorporates processor unit Usually coupled with PIN to unlock the smart token for use Classification Physical characteristics Interface Authentication protocol Benefits Enable one-time psw Reduced risk of forgery Limitations Need readers/writers or human intervention Substantial management

What you are: biometrics Exploit unique characteristics of an individual to authenticate that person s identity Typical method User interfaces with system System monitors and digitalizes biometric pattern System compares with stored reference biometric digital profile Successful match grants access Benefits You always carry what you are Limitations Tecnically complex and expensive technologies Difficult user acceptance Loss (stolen) biometric cannot be recovered Biometric may evolve, be damaged

Biometrics technologies Retinal scanner Fingerprint readers Face recognition Iris scanner Handprint readers Voiceprints Keystroke timing Signatures

Web Authentication

Basic password web authentication Setup User chooses password Hash of password stored in password file Authentication User logs into system, supplies password System computes hash, compares to file Standard implementations Basic and digest access authentication (rfc 2617) Kerberos Alternatives SSL client authentication (requires wide PKI deployment)

Web Authentication Attacks Online dictionary attack Offline dictionary attack Replay attack Malicious or weak-security website Phishing Common password problem Malware on client machine Spyware Session hijacking

References William Stallings. Cryptography and Network Security: Principles and Network Security 3/e and 4/e. Chapter 18. Prentice Hall. C. Kaufman, R. Perlman and M. Speciner. Network Security: Private Communications in a Public World. Chapter 10. Prentice Hall. SP800-12. An Introduction to Computer Security: The NIST Handbook. Chapter 16 - Identification and Authentication. October 1995 Kevin Fu et al. Dos and Don ts of Client Authentication on the Web. In Proc. Of the 10th USENIX Security Symposium. 2001.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback