Intruders, Human Identification and Authentication, Web Authentication David Sanchez Universitat Pompeu Fabra 06-06-2006
Lecture Overview Intruders and Intrusion Detection Systems Human Identification and Authentication Web authentication
Intruders
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence may use compromised system to launch other attacks awareness of intruders has led to the development of CERTs
Intrusion Techniques aim to gain access or increase privileges on a system key goal often is to acquire passwords then exercise access rights of owner basic attack methodologies information gathering and guessing privilege escalation eavesdropping
Intrusion Detection System (IDS) We ve seen prevention security so far A preventive secure system will inevitably have security failures so need also to detect intrusions IDS assume intruder will behave differently to a legitimate user but will have imperfect distinction between
Approaches to Intrusion Detection statistical anomaly detection threshold profile based rule-based detection anomaly penetration identification
Audit Records fundamental tool for intrusion detection native audit records detection-specific audit records
Honeypots decoy systems to lure attackers are filled with fabricated information instrumented to collect detailed information on attackers activities single or multiple networked systems
Human Identification and Authentication Challenge: security vs. usability
Definitions Identification Authentication
Human Authentication Categories What you know What you possess What you are
What you know: Passwords Method User inserts ID + psw System compares inserted psw against stored Successful match grants access Benefits Users and administrators have been using it for long period: trust and usability Effective (if properly managed) Limitations Psw randomness (security) vs. easy remembering Giving passwords away: allows access to restricted users, social engineering User may forget to log out session Management overhead
Attacks against Password Authentication Dictionary Attack Offline/Online Password Guessing Password Capture
Improving Password Security User education Password generators User-selected + reactive/proactive checking Limits on log-in attempts Password attributes Changing passwords Technical protection of the password file
What you possess: tokens Usually combined with what you know, also with what you are Typical method User inserts token + PIN PIN stored in token, system stores token ID System authenticates token and user Successful match grants access Categories Memory tokens Smart cards
Memory Tokens Memory token Stores information Reader/writer control reading/writing data to/from token Usually coupled with PIN PIN-less token usually for physical access control Benefits More secure than psw Memory card is inexpensive to produce Session logs out asa token is removed Limitations Requires special reader Token loss User disatisfaction
Smart Tokens Smart token Incorporates processor unit Usually coupled with PIN to unlock the smart token for use Classification Physical characteristics Interface Authentication protocol Benefits Enable one-time psw Reduced risk of forgery Limitations Need readers/writers or human intervention Substantial management
What you are: biometrics Exploit unique characteristics of an individual to authenticate that person s identity Typical method User interfaces with system System monitors and digitalizes biometric pattern System compares with stored reference biometric digital profile Successful match grants access Benefits You always carry what you are Limitations Tecnically complex and expensive technologies Difficult user acceptance Loss (stolen) biometric cannot be recovered Biometric may evolve, be damaged
Biometrics technologies Retinal scanner Fingerprint readers Face recognition Iris scanner Handprint readers Voiceprints Keystroke timing Signatures
Web Authentication
Basic password web authentication Setup User chooses password Hash of password stored in password file Authentication User logs into system, supplies password System computes hash, compares to file Standard implementations Basic and digest access authentication (rfc 2617) Kerberos Alternatives SSL client authentication (requires wide PKI deployment)
Web Authentication Attacks Online dictionary attack Offline dictionary attack Replay attack Malicious or weak-security website Phishing Common password problem Malware on client machine Spyware Session hijacking
References William Stallings. Cryptography and Network Security: Principles and Network Security 3/e and 4/e. Chapter 18. Prentice Hall. C. Kaufman, R. Perlman and M. Speciner. Network Security: Private Communications in a Public World. Chapter 10. Prentice Hall. SP800-12. An Introduction to Computer Security: The NIST Handbook. Chapter 16 - Identification and Authentication. October 1995 Kevin Fu et al. Dos and Don ts of Client Authentication on the Web. In Proc. Of the 10th USENIX Security Symposium. 2001.