Authentication CHAPTER 17

Similar documents
Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

Cryptography (Overview)

APNIC elearning: Cryptography Basics

CCNA Security 1.1 Instructional Resource

But where'd that extra "s" come from, and what does it mean?

(2½ hours) Total Marks: 75

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Chapter 21 How to create secure web sites

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptographic Concepts

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Worksheet - Reading Guide for Keys and Passwords

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Encryption. INST 346, Section 0201 April 3, 2018

Security: Cryptography

CSC 474/574 Information Systems Security

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

PROTECTING CONVERSATIONS

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Encryption I. An Introduction

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Public-key Cryptography: Theory and Practice

Computers and Security

Cryptography Lesson Plan

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

L13. Reviews. Rocky K. C. Chang, April 10, 2015

UNIT - IV Cryptographic Hash Function 31.1

David Wetherall, with some slides from Radia Perlman s security lectures.

Overview. SSL Cryptography Overview CHAPTER 1

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Cryptography in Lotus Notes/Domino Pragmatic Introduction for Administrators

Digital Certificates Demystified

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Ref:

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Security: Focus of Control. Authentication

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

14. Internet Security (J. Kurose)

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Introduction to Cryptography in Blockchain Technology. December 23, 2018

CSC 774 Network Security

Computer Security. Two main issues are current regarding security for computer communication systems

Introduction to Cyber Security Week 2: Cryptography. Ming Chow

Classical Cryptography. Thierry Sans

Most Common Security Threats (cont.)

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSC/ECE 774 Advanced Network Security

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Lorenz Cipher. Menu. Class 4: Modern Cryptography. British Cipher Machine. German Code-Breaking Efforts. Some loose ends on WWII Maurice Burnett

Security: Focus of Control

Dashlane Security Whitepaper

Distributed Systems. Fall 2017 Exam 3 Review. Paul Krzyzanowski. Rutgers University. Fall 2017

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Cryptography and Network Security

Radius, LDAP, Radius, Kerberos used in Authenticating Users

2.1 Basic Cryptography Concepts

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

1.264 Lecture 28. Cryptography: Asymmetric keys

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Password. authentication through passwords

How to create secure web sites

Cryptographic Systems

CPSC 467b: Cryptography and Computer Security

P2_L8 - Hashes Page 1

Security. Communication security. System Security

CS61A Lecture #39: Cryptography

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Data Security and Privacy. Topic 14: Authentication and Key Establishment

SSH PK Authentication and Auto login configuration for Chassis Management Controller

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

CS 356 Internet Security Protocols. Fall 2013

Proving who you are. Passwords and TLS

Making and Breaking Ciphers

Dashlane Security White Paper

Cryptography MIS

Introduction and Overview. Why CSCI 454/554?

Securing Internet Communication: TLS

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Introduction Classical Confidentiality Modern Confidentiality Integrity Authentication

e-commerce Study Guide Test 2. Security Chapter 10

Lecture 1: Perfect Security

NETWORK SECURITY & CRYPTOGRAPHY

Transport Level Security

Cryptography. some history. modern secret key cryptography. public key cryptography. cryptography in practice

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Cryptography and Network Security. Saint Leo University. COM 450- Network Defense and Security. Instructor: Dr. Omar.

Transcription:

Authentication CHAPTER 17

Authentication Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources. getting entrance to a computer lab getting past the bouncer at the bar logging into your web application

Authentication Factors Authentication factors are the things you can ask someone for in an effort to validate that they are who they claim to be.

Authentication Factors the things you can ask someone for Knowledge factors are the things you know Passwords, PIN, Challenge Question Ownership factors are the things that you possess Key, FOB, Card, Mobile Phone Inherence factors are the things you are Fingerprint, signature, DNA, gait

Single Factor Authentication Single-factor authentication is the weakest and most common category of authentication system where you ask for only one of the three factors. Know a password Posses an access card Fingerprint access on your mobile phone When better authentication confidence is required, more than one authentication factor should be considered

Multi Factor Authentication Multifactor authentication is where two distinct factors of authentication must pass before you are granted access. The way we all access an ATM machine is an example of two-factor authentication: you must have both the knowledge factor (PIN) and the ownership factor(card) Multifactor authentication is becoming prevalent in consumer products as well: your cell phone is used as the ownership factor alongside your pin as a knowledge factor.

Authentication for Websites Form-based Allows the developer to code a login form that gets the username and password. Allows the developer to only request the username and password once per session. This is the most common type of authentication Digest and Basic Authentication are browser-based dialog boxes to get the username and password (not widely used)

Third Party Authentication Let someone else worry about it Many popular services allow you to use their system to authenticate the user and provide you with enough data to manage your application. Third-party authentication schemes like OpenID and oauth are popular with developers and are used under the hood by many major websites including Amazon, Facebook, Microsoft, and Twitter, to name but a few.

OAuth 3 rd party Authentication requires some effort OAuth uses four user roles The resource owner is normally the end user who can gain access to the resource (though it can be a computer as well). The resource server hosts the resources and can process requests using access tokens. The client is the application making requests on behalf of the resource owner. The authorization server issues tokens to the client upon successful authentication of the resource owner. Often this is the same as the resource server.

OAuth

Authorization Not the same as authentication Authorization defines what rights and privileges a user has once they are authenticated. Authentication grants access vs Authorization defines what the user with access can (and cannot) do. The principle of least privilege is a helpful rule of thumb that tells you to give users and software only the privileges required to accomplish their work.

Back to Form-Based Authentication In general: Encryption means two-way encoding with a public or private key Hashing means one-way encoding (can't be decoded) Best practice is to store passwords in the database in hashed form so that if the database is breached, passwords aren't easily read. MD5 and SHA1 are older hashing algorithms which have been found to have flaws SHA256, SHA512 are newer and stronger (the number refers to the length of the hash produced.) PHP has a hash() function which can be used as follows: $password = hash("sha256", $password);

Using Salts for Added Security Passwords can be made even more secure by adding some random value to the password string before hashing it. There are several ways to do this: 1. Generate a random number and concatenate the password with it before hashing (the salt must then be stored.) 2. Concatenate another field, say users email, with the password before hashing. As long as the comparison string is concatenated and hashed, the algorithm will generate the same hashed string.

BCrypt The slower a hashing algorithm works, the harder it is for hackers' automated cracking attempts to work. But, it can't be so slow that it becomes impractical to use. Bcrypt is based on a symmetric block cipher called Blowfish. We can make the algorithm work n times slower than it normally would by manipulating the cost factor (the 2-digit number following the second $ in the salt.)

Others PBKDF2 : Password-Based Key Derivation Function 2 Designed to be a key-stretching function but is suitable for password storage scrypt() : Relatively new (2012) Designed to ensure better security than its predecessor bcrypt()

Too Many Choices As of PHP 5.5, there is a password_hash() function which allows PHP to select the most trusted password hashing algorithm available without having to modify your code! The default uses the bcrypt algorithm and a randomly generated salt (The salt option has been deprecated in PHP 7.0, so it is preferable to start using the salt generated by default.) Because the default algorithm is meant to change over time, it is recommended that varchar(255) be used to store passwords (even though the current length only requires 60 characters.)

Secure Authentication Authentication is the process of determining whether a server or client is who and what it claims to be. When a browser makes an initial attempt to communicate with a server over a secure connection, the server authenticates itself by providing a digital secure certificate. If the digital secure certificate is registered with the browser, the browsers won t display the certificate by default. However, the user still has the option to view the certificate. In some rare cases, the server may request that a client authenticate itself by presenting its own digital secure certificate.

HTTPS Secure HTTP HTTPS is the HTTP protocol running on top of the Transport Layer Security (TLS). It s easy to see from a client s perspective that a site is secured by the little padlock icons in the URL bar used by most modern browsers

HTTPS Secure Handshakes

A Digital Secure Certificate

HTTPS Certificate Authorities A Certificate Authority (CA) allows users to place their trust in the certificate since a trusted, independent third party signs it.

Certificate Authorities A W3Techs survey from May 2015 SSL Strengths Refers to the length of the generated key that is created during encryption Stronger security costs more 40-bit 56-bit 128-bit (typical SSL strength for collecting personal information) 256-bit

HTTPS Self-Signed Certificates Self-signed certificates provide the same level of encryption, but the validity of the server is not confirmed.

Using HTTPS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client through a secure connection Transport Layer Security (TLS) A newer protocol for transferring data via a secure connection. Often referred to as SSL Secure connection The browser encrypts data being sent to the server and the server then decrypts it The server encrypts data being sent to the browser and the browser then decrypts it

URLs for Secure Connections Request a secure connection: https://webdev.cislabs.uncw.edu Return to a regular connection http://webdev.cislabs.uncw.edu Requests must be full URLs

Redirection The server initiates a request from the browser to another URL The header function with the Location: string header('location:.'); // the current directory header('location:..'); // up one directory header('location:./admin'); // down one directory header('location: error.php'); header('location: https://webdev.cislabs.uncw.edu/~abc123');

The $_SERVER Array Examples of URI references: https://example.org/absolute/uri/with/absolute/path/to/resource.txt //example.org/scheme-relative/uri/with/absolute/path/to/resource.txt /relative/uri/with/absolute/path/to/resource.txt relative/path/to/resource.txt../../../resource.txt

The $_SERVER Array $_SERVER['HTTP_HOST']=webdev.cislabs.uncw.edu $_SERVER['REQUEST_URI']=/~abc1234/file.php A utility file to build an absolute URL using the $_SERVER array: <?php // make sure the page uses a secure connection $https = filter_input(input_server, 'HTTPS'); if (!$https) { $host = filter_input(input_server, 'HTTP_HOST'); $uri = filter_input(input_server, 'REQUEST_URI'); $url = 'https://'. $host. $uri; header("location: ". $url); exit(); }?>

Requiring a Secure Connection require_once 'secure_conn.php'; Use on any pages that contain sensitive information

Reverting to HTTP require_once 'reg_conn.php'; After a user has logged out for example

Next Steps: CHAPTER 9 LOGIN/LOGOUT COOKIES AND SESSIONS

The Remaining Slides Contain Additional Information about Cryptography IN CASE YOU ARE INTERESTED...

Cryptography Secret Messages Being able to send a secure message has been an important tool in warfare and affairs of state for centuries. At a basic level we are trying to get a message from one actor (we will call her Alice), to another (Bob), without an eavesdropper (Eve) intercepting the message. Since a single packet of data is routed through any number of intermediate locations on its way to the destination, getting your data (and passwords) is as simple as reading the data during one of the hops unless you use cryptography.

Cryptography The problem

Cryptography The goal

Cryptography Some key terms A cipher is a message that is scrambled so that it cannot easily be read, unless one has some secret key. The key can be a number, a phrase, or a page from a book. What is important in both ancient and modern cryptography is to keep the key a secret between the sender and the receiver.

Cryptography Substitution ciphers A substitution cipher is one where each character of the original message is replaced with another character according to the encryption algorithm and key. Caesar Vigenère One Time Pad Modern Block Ciphers

Caesar Substitution ciphers The Caesar cipher, named for and used by the Roman Emperor, is a substitution cipher where every letter of a message is replaced with another letter, by shifting the alphabet over an agreed number (from 1 to 25). The message HELLO, for example, becomes KHOOR when a shift value of 3 is used

The problem with lousy ciphers Letter distribution is not flat The frequency of letters (and sets of two and three letters) is well known If you noticed the letter J occurring most frequently, it might well be the letter E

The problem with lousy ciphers Letter distribution is not flat Any good cipher must therefore try to make the resulting cipher text letter distribution relatively flat so as to remove any trace of the telltale pattern of letter distributions. Simply swapping one letter for another does not do that, necessitating other techniques.

Vigenère Early attempt to flatten letter distribution of ciphers The Vigenère cipher, named for the sixteenth-century cryptographer, uses a keyword to encode a message. The key phrase is written below the message and the letters are added together to form the cipher text as illustrated

One Time Pad Vigenère with an infinitely long key The one-time pad refers to a perfect technique of cryptography where Alice and Bob both have identical copies of a very long sheet of numbers, randomly created Claude Shannon famously proved that the one-time pad is impossible to crack However, it is impractical to implement on a large scale and remains a theoretical benchmark that is rarely applied in practice.

Modern Block Ciphers Ciphers in the computer age Block ciphers encrypt and decrypt messages using an iterative replacing of a message with another scrambled message using 64 or 128 bits at a time. The Data Encryption Standard (DES) and its replacement, The Advanced Encryption Standard (AES) are two-block ciphers still used in web encryption today.

DES illustration Pretty simple, no?

Symmetric Key Problem How to exchange the key? All of the ciphers we have covered thus far use the same key to encode and decode, so we call them symmetric ciphers. The problem is that we have to have a shared private key. How? Over the phone? In an email? Through the regular mail? In person?

Public Key Cryptography Solves the problem of key exchange Public key cryptography (or asymmetric cryptography) solves the problem of the secret key by using two distinct keys: a public one, widely distributed another one, kept private Algorithms like the Diffie-Hellman key exchange allow a shared secret to be created out in the open, despite the presence of an eavesdropper

A Good Explanation of Public Key Encryption https://youtu.be/e5feqgyll0o

Digital Signatures Confirming the sender is authentic A digital signature is a mathematically secure way of validating that a particular digital document was created by the person claiming to create it (authenticity), Was not modified in transit (integrity), and cannot be denied (non-repudiation).

Digital Signatures Confirming the sender is authentic A digital signature is a mathematically secure way of validating that a particular digital document was created by the person claiming to create it (authenticity), Was not modified in transit (integrity), and cannot be denied (non-repudiation). The process of signing a digital document can be as simple as encrypting a hash of the transmitted message.

Digital Signatures Confirming the sender is authentic

The End

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback