Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Similar documents
Web Security, Summer Term 2012

Web Security, Summer Term 2012

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Information Security CS 526 Topic 11

Web Application Security. Philippe Bogaerts

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

P2_L12 Web Security Page 1

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Identity, Authentication and Authorization. John Slankas

Web basics: HTTP cookies

Combating Common Web App Authentication Threats

Security Course. WebGoat Lab sessions

Authentication. Chapter 2

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

(2½ hours) Total Marks: 75

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web basics: HTTP cookies

Lecture 9 User Authentication

HOST Authentication Overview ECE 525

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Information Security CS 526 Topic 8

Web Application Penetration Testing

Introduction to Ethical Hacking

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CS530 Authentication

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

CIS 4360 Secure Computer Systems XSS

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

C1: Define Security Requirements

WHY CSRF WORKS. Implicit authentication by Web browsers

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Common Websites Security Issues. Ziv Perry

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Solutions Business Manager Web Application Security Assessment

Chapter 3: User Authentication

Restricting Unauthorized Access Using Biometrics In Mobile

How to Configure Authentication and Access Control (AAA)

Web Security. Thierry Sans

Application Layer Security

5. Authentication Contents

CSE 565 Computer Security Fall 2018

CS 161 Computer Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Authentication Technologies

COMPUTER NETWORK SECURITY

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Man in the Middle Attacks and Secured Communications

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Copyright

Web Application Vulnerabilities: OWASP Top 10 Revisited

CSC 474 Network Security. Authentication. Identification

Vidder PrecisionAccess

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

COMP9321 Web Application Engineering

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

WebGoat Lab session overview

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

EasyCrypt passes an independent security audit

Web Security II. Slides from M. Hicks, University of Maryland

Authentication CHAPTER 17

CYBER SECURITY MADE SIMPLE

COMP9321 Web Application Engineering

En#ty Authen#ca#on and Session Management

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Security Specification

Computer Security: Principles and Practice

Overview. SSL Cryptography Overview CHAPTER 1

Configuring the CSS for Device Management

Vulnerabilities in online banking applications

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Integrated Access Management Solutions. Access Televentures

Some Facts Web 2.0/Ajax Security

Sumy State University Department of Computer Science

Authentication Methods

SWAMID Person-Proofed Multi-Factor Profile

Logging in to SecureSync

Hardware One-Time Password User Guide November 2017

CitiDirect BE SM Mobile

Biometrics. Overview of Authentication

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Lecture 9. Authentication & Key Distribution

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Transcription:

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability Guarantee access to data Confidentiality Security Availability Integrity 2/11/18 Introduction 2

Who are you? Beyond CIA Prove it! Here s your stuff... Identification Authentication Authorization 2/11/18 CS166 3

Identification Humans are generally indistinguishable in front of a computer A subject should provide an identity The system will verify if you have the proof to claim an identity This process is called Authentication 2/11/18 CS166 4

Authentication Authentication is the act of confirming the truth of an attribute of a datum or entity There are three authentication factors: Knowledge: Something you know Ownership: Something you have Inherence: Something you are 2/11/18 CS166 5

Knowledge Something the user knows (e.g., a password, or PIN, challenge/response (the user must answer a question), pattern) Strengths Easy to transport Can be changed Easily transferrable/easy to duplicate Weaknesses Can be forgotten Easy to duplicate Verifier often learns the secret 2/11/18 CS166 6

security token, etc.) Strengths Easily transferable More difficult to clone that what you know Ownership Something the user has (e.g., phone number, ID card, Weaknesses Easily transferable Can be lost or stolen Can be forged e.g. a key can be made from photos 2/11/18 CS166 7

Inherence Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence, voice, etc.). Strengths Weaknesses Non-transferable Forgeable (ie, fingerprint Usually identifies from picture or from a individual glass) Can be lost (ie, loss or degradation) Can t be changed 2/11/18 CS166 8

Authentication Devices Time-Varying Codes (One Time Password) Physical/Tamper proof Precise clock Hash chain inside Biometric physiological or behavioral characteristic Irises, fingerprints, etc. 2/11/18 CS166 9

More authentication factors? Location factor Where you are (ie. Gps, Mobile Cell, etc.) Ability factor What you can do ( ie. Keystroke Dynamics, mouse tracking, etc.) Usually they are classified in the inherence factor, It is an open problem NIST SP 800-63-1 2/11/18 CS166 10

If you need more security? Could you use more authentication factor to verify the identity of a user? Multi Factor Authentication is born 2/11/18 To increase the level of security, many systems will require a user to provide different types of authentication factor 2-factor authentication ATM card + PIN Credit card + signature Passport + fingerprint 3-Factor authentication ATM Card + Pin + Fingerprint Passport + fingerprint + face CS166 11

Multi-step Authentication User submits two or more authentication tokens ATM bank card (Two Factor) Physical card (something you have) PIN (something you know) Password + code sent to the phone (Two Step) Brown Authentication Enter password (something you know) Enter code (something you know) 2/11/18 CS166 12

Authorization Once a subject is Authenticated, access should be authorized Authorization is the function of specifying access rights to resources (access control) More formally, "to authorize" is to define access policy: permissions, rights, etc. 2/11/18 CS166 13

AAA and more Identification, Authentication, Authorization, Accounting, Auditing AAA Working Group, IETF Identification Authentication Authorization Access Control Security Reference Monitor Access Credentials, UserID, etc. Factors, Proofs, etc. Rights, Permissions, Privileges, ACL, etc. Accounting Auditing 2/11/18 CS166 14

Summary Often broken into three steps Identification, Authentication, and Authorization Three ways to prove authentication Something you have/are/know Multifactor authentication is generally more secure 2/11/18 CS166 15

Model of Web Access Control Authentication Password, multi factors, etc. Session Management Keep track of authenticated users Authorization Given authentication, check permissions 2/11/18 CS166 16

In BROWSER we trust Most of our trust on web security relies on information stored in the Browser: A Browser should be updated since Bugs in the browser implementation can lead to various attacks Add-ons too are dangerous Hacking Team flash exploits - goo.gl/syvwid Executing a browser with low privileges helps 2/11/18 CS166 17

HTTP Headers Every http packet comes with a header Key/Value pairs storing metadata about the request/response 2/11/18 CS166 18

Session Management & Security A user does not want to authenticate for every single request Http is stateless Ideas? Log in once Generate a Session token/id a temporary token used to both identify and authenticate user 2/11/18 CS166 19

How to implement a session token? Usually a random long string (not always) A shared secret between client and server Stored in a Cookie with an expiration time and a configured host Automatically sent with every request DEMOS (No Cookies - No Sessions) 2/11/18 CS166 20

DEMO (1) 1. Removing cookies erases authentication Server makes us log in again 2. Remember me checkbox on the login Cookie does not expire in the browser but also on the server 3. Logout and session cookie removed on client and server 4. If we disable cookies, can not sign in to most websites 2/11/18 CS166 21

Client-Side Controls Web security problems arises because clients can submit arbitrary input OWASP TOP 10 comparison (goo.gl/oxyqde) What about using client side controls to check the input? Which kind of controls? 2/11/18 CS166 22

Web client tool Web inspection tool: Firefox Firebug or Chrome web developer: powerful tools that allow you to edit HTML, CSS and view the coding behind any website: CSS, HTML, DOM and JavaScript Web Proxy: Burp, OWASP ZAP, Tamper Data etc. Allow to modify GET or POST requests 2/11/18 CS166 23

HTTP Proxy An intercepting Proxy: inspect and modify traffic between your browser and the target application Burp Intruder, OWASP ZAP, Tamper Data etc. 2/11/18 CS166 24

DEMO (2) 1. Session cookie theft (chrome -> firefox tamperdata) 2. Session id randomness measure (burp) goo.gl/7xtppw (randomness description) 2/11/18 CS166 25

Same Origin Policy (SOP) The SOP restricts how a document or script loaded from one origin can interact with a resource from another origin One origin is permitted to send information to another origin, but one origin is not permitted to receive information from another origin Without "allow sending, there would be no "web" at all because each origin would be allowed to link only to itself 2/11/18 CS166 26

Browser add-ons: Request Policy (RP) RP gives you a default deny policy for cross-site requests Cross-site requests are: requests that your browser is told to make by a website you are visiting to a completely different website RP allows you to whitelist cross-site requests you trust 2/11/18 CS166 27

Is this site Secure? Web Technology introduced a new range of vulnerabilities not present in earlier Client Applications Unfortunately it is not enough to say : We use Https or SSL -128 bit so this site is absolutely secure Main problem, users can: Submit arbitrary inputs Interfere with any piece of data transmitted Forge requests or parameters with tools external to the browser In the modern web application frameworks (e.g. Spring, Struts, Hibernate, etc.) or CMS (e.g. wordpress, joomla, etc. ) are commonly used and they can have bugs. 2/11/18 CS166 28

Summary Maintaining a session is a problem on the web Pay attention to session cookies Expiration Randomness Tracking Log out is more secure than closing the page Input validation server side 2/11/18 CS166 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback