Authentication System

Similar documents
A Negative Authentication System 1

User Authentication. Modified By: Dr. Ramzi Saifan

User Authentication. Modified By: Dr. Ramzi Saifan

CS530 Authentication

CNT4406/5412 Network Security

Lecture 9 User Authentication

McAfee Certified Assessment Specialist Network

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Authentication Methods

CSWAE Certified Secure Web Application Engineer

CSC 474 Network Security. Authentication. Identification

Chapter 3: User Authentication

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

COMPUTER NETWORK SECURITY

(2½ hours) Total Marks: 75

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CompTIA Security+(2008 Edition) Exam

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

Proving who you are. Passwords and TLS

Global Mobile Biometric Authentication Market: Size, Trends & Forecasts ( ) October 2017

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

Syllabus: The syllabus is broadly structured as follows:

Network Security and Cryptography. December Sample Exam Marking Scheme

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Chapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.

PASSWORDS & ENCRYPTION

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

Curso: Ethical Hacking and Countermeasures

Lecture 14 Passwords and Authentication

Passwords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

O/S & Access Control. Aggelos Kiayias - Justin Neumann

An Analysis of Local Security Authority Subsystem

Vidder PrecisionAccess

CIT 480: Securing Computer Systems. Authentication

Security+ SY0-501 Study Guide Table of Contents

Computer Security: Principles and Practice

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Access Controls. CISSP Guide to Security Essentials Chapter 2

Modern Realities of Securing Active Directory & the Need for AI

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Certified Secure Web Application Engineer

Exam4Free. Free valid exam questions and answers for certification exam prep

Exam Questions MA0-150

MODULE NO.28: Password Cracking

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Introduction to Security and User Authentication

SSH. Partly a tool, partly an application Features:

Ethical Hacking and Prevention

Goals. Understand UNIX pw system. Understand Lamport s hash and its vulnerabilities. How it works How to attack

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

CNIT 124: Advanced Ethical Hacking. Ch 9: Password Attacks

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Security analysis and assessment of threats in European signalling systems?

A (sample) computerized system for publishing the daily currency exchange rates

Distributed Systems. Lecture 14: Security. 5 March,

HY-457 Information Systems Security

Define information security Define security as process, not point product.

Pre-Assessment Answers-1

Lecture 3 - Passwords and Authentication

Radius, LDAP, Radius, Kerberos used in Authenticating Users

1.264 Lecture 26. Security protocols. Next class: Anderson chapter 4. Exercise due before class

Information Security & Privacy

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

No More Excuses: Feds Need to Lead with Strong Authentication!

Artificial Immune System against Viral Attack

Authentication. Chapter 2

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Secure Development Lifecycle

Authentication. Tadayoshi Kohno

User Authentication Protocols Week 7

Keys and Passwords. Steven M. Bellovin October 17,

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

An analysis of security in a web application development process

SE420 Software Quality Assurance

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Lecture 3 - Passwords and Authentication

Attackers Process. Compromise the Root of the Domain Network: Active Directory

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Introduction. The Safe-T Solution

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Authentication. Amit Konar Math and Computer Sc., UMSL

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Cyber security tips and self-assessment for business

Solutions Business Manager Web Application Security Assessment

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

HP 2012 Cyber Security Risk Report Overview

Introduction to Systems Security

Transcription:

A Biologically Inspired Password Authentication System Dipankar Dasgupta and Sudip Saha Center for Information Assurance University of Memphis Memphis, TN 38152 Outline Motivation Position Authentication (PA) Negative Authentication (NA) Implementation Details of NA Preliminary Experiments and results Scope of Negative Authentication Conclusions and future directions References 1

Motivation To provides a robust solution in immunizing authentication systems (local, remote or online) by putting an additional layer of password protection (invisible) to the user. To reduce the risk of exploiting user credential profile (encrypted or unencrypted form) by making use of some kind of approximate complement profile. To defend through obfuscation, an approach inspired by T-cell maturation process in the biological immune system. Identification Identification of the user can be based on the following: Who the user is : a fingerprint, iris scan or voice verification, to prove biology. What the user knows : password or personal identification number (PIN) the user enters What the user has : smart card or digital certificate. Where the user is : global positioning satellite (GPS). A common trend of authentication (Identification part) is through the account details such as username and password that is what the user knows. 2

Authentication The process of verifying the claimed identity of a user. Two steps are involved Identification (through login ID) Verification (through password) Traditional approaches Identify the entity in a secure storage of all identities and verify As real credentials are accessed, it is termed positive authentication (PA) Traditional Windows Identity storages Security Account Manager (SAM) file Password stored in NTLM hashed form Used for local system logins in Windows NT systems Active Directory Password stored in different hash forms, eg. OWF hash Used for Windows domain logins, LDAP authentication. 3

Traditional Unix Identity storages etc/passwd Obsolete usage as a password storage in Linux authentication Readable by all, so very risky Format Account : Password : UID : GID : GECOS : Directory : Shell example username Password hashed By MD5, DES, Blowfish etc etc/shadow Used as password storage in password-file-authentication in Linux Only readable by root a storage with different access privilege Format Username : Hashed Password :.... example Issues with current approaches In all the existing approaches that are designed for secure authentication they use positive identification database directly during authentication process. Security Threats: The authentication servers are vulnerable to online and offline guessing attacks. The password information table could be read or altered by an intruder. An intruder can also append a new ID and password into the table. In fact, most security penetration occurs when the security validation information is exposed in any form. 4

Affect of Authentication failures Lack of proper authentication gives a way (key to the kingdom) for easy hacking. Once the hackers gain access to the system can do any harmful activities, such as: Stealing confidential Information launching distributed denial of service attacks defacing web sites stealing billing and credit card information making fraudulent purchases, etc. Reports on Password Attacks Zone-H statistics report of registered attacks in 2005-2007, Published in March, 2008: Various Attacks successfully employed in the web (www.zone-h.org) 5

What is Negative Authentication? PAs use a password profile containing all the user passwords who are authorized to access the system (or the server). The negative counterpart (non-self/antipassword space) represents all strings that are not in the password file. These Anti- Passwords can be used as the first line of Authentication to filter out all illegitimate access requests. Negative Authentication approach(contd.) System resource Authentication Process http://www.memphis.edu/fedex/passwordimmunizer/index.htm 6

Negative Authentication approach(contd.) System resource Authentication process http://www.memphis.edu/fedex/passwordimmunizer/index.htm Negative Authentication approach(contd.) System resource Ambiguity in Anti-P file http://www.memphis.edu/fedex/passwordimmunizer/index.htm 7

Process of Anti-P Generation Generate encrypted vectors Test Data and Experiments Password: OpenWall Project (approx 2500 most common passwords) OpenWall Project (approx 2500 most common passwords) Username: Most common first name and last names in USA US census (http://www.census.gov/genealogy/names/names_files.html) Forensic Log Usernames used for cracking Objective of experiments Decrease number of Anti-Ps (Detectors) Achieve a good detection rate with obfuscation Not too high» Almost same effect as positive authentication Not too low» No value of negative authentication 8

Selecting parameters Table: The table summarizes the results of experiments with varying: size of valid accounts and Anti-P coverage. In case of larger account set, higher coverage is required to get good detection rate, but at the same time, it needs large set of Anti-Ps. Selecting Confusion Parameter Fig : Effect of change in confusion parameter on number of Anti-Ps and detection rate. Depending on the number of accounts, both detection rate and Anti-P set size do not change upto some confusion parameter. Both of them falls for high confusion parameter. But, Anti-P set size starts falling at a lower confusion parameter than detection rate does. Depending on the account set size, a suitable confusion parameter can be chosen where smaller number of Anti-Ps can be achieve with a little compromise of detection rate. 9

# Anti-Ps and Detection rate (a) # Anti-P (a) Detection Rate Fig : Variation of Anti-P and detection rate with change in number of passwords and coverage with confusion parameter = 0.05. (a): # Anti-Ps increase almost exponentially with increase in expected Anti-P coverage. Whereas, it increases up to some point with as number of accounts increases, (b) Detection rate increases with coverage but decreases with number of accounts Effect of eliminating small Anti-Ps Fig : Both #Anti-Ps and Detection rate decrease, if small Anti-Ps are eliminated. But, # Anti-Ps falls faster than Detection rate do. For example, if in case of 1000 valid passwords, Anti-Ps of 0.04 or smaller are eliminated, then #Anti-Ps fall to 83% of actual number, whereas, detection rate fall only to 95% of actual rate. 10

Sparseness Issue of hashes Fig : Scatter plot of 5600 username, password pairs (a) plaintext credential, (b) hashed credential Plaintext Vs Hashed information Fig: Performance comparison for plaintext and hashed account information. Variation of (a) Anti-P and (b) detection rate with change in parameters. 11

Scope of Negative Authentication Negative Authentication (NA) can be used wherever positive authentication (PA) is used Wherever credential stores are maintained and a request is searched for match there. E.g. Challenge Response authentication HTTP form based authentication LDAP authentication NT Lan Manager Authentication Scope of negative Authentication (Contd) Negative Authentication is not applicable to some approaches where passwords are not matched against a credential store. E.g. Kerberos authentication for windows domain login Document-oriented authentication like digital signature PKI based authentication 12

Conclusions and Future direction With this approach, it will be harder (if not impossible) to discover any individual password even though Anti-Passwords are being compromised. Negative profile is less vulnerable to guessing attack, and can be used for forensic This approach does not address the security issues in transit (with communication channel) Future direction: Dealing with very large password file (as in E-Business) Make Negative Authentication adaptive to account changes Real-world implementation in PAM References Z. Ji, D. Dasgupta, Real-Valued Negative Selection Using Variable-Sized Detectors. Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), Seattle, Washington, June, 2004. D. Dasgupta, R. Azeem, An Investigation of Negative Authentication Systems, Proceedings of 3rd International Conference on Information Warfare and Security, Omaha, USA, April, 2008. Z. Ji, D. Dasgupta, Estimating the Detector Coverage in a Negative Selection Algorithm, Proceedings of Genetic and Evolutionary Computation(GECCO), Washington, D. C., June, 2005. B. Hartman, D. J. Flinn, K. Beznosov, S. Kawamoto, Mastering Web Services Security, Wiley Publishing Inc, 2003. R.E. Smith, Authentication: from passwords to public keys, Addison-Wesley, 2002. D. Dasgupta and S. Forrest, An anomaly detection algorithm inspired by the immune system, In: Dasgupta D (Editor) Artificial Immune Systems and Their Applications, Springer-Verlag, 1999, pp.262 277. Zone-H statistics report 2005-2007, http://www.zone-h.org/news/id/4686 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback