Security and Authentication

Similar documents
19.1. Security must consider external environment of the system, and protect it from:

CS System Security Mid-Semester Review

Module 20: Security. The Security Problem Authentication Program Threats System Threats Threat Monitoring Encryption. Operating System Concepts 20.

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Curso: Ethical Hacking and Countermeasures

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

Access Controls. CISSP Guide to Security Essentials Chapter 2

e-commerce Study Guide Test 2. Security Chapter 10

Language-Based Protection

Ethical Hacking and Prevention

CS System Security 2nd-Half Semester Review

Protection and Security

Chapter 4. Network Security. Part I

Chapter 10: Security and Ethical Challenges of E-Business

The Security Problem

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Endpoint Security - what-if analysis 1

CTS2134 Introduction to Networking. Module 08: Network Security

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Security Threats: Network Based Attacks

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Chapter 19 Security. Chapter 19 Security

Introduction to Security. Computer Networks Term A15

Guide to Network Security First Edition. Chapter One Introduction to Information Security

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1

Malware, , Database Security

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Finding and Supporting Collaboration Needs and Opportunities

Chapter 11: Networks

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

A Review Paper on Network Security Attacks and Defences

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

MTA Networking Fundamentals Exam.

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

ISO/IEC Common Criteria. Threat Categories

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Protection and Security

5. Authentication Contents

Accounting Information Systems

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

SE420 Software Quality Assurance

Authentication Objectives People Authentication I

Web Application Security. Philippe Bogaerts

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Systems and Network Security (NETW-1002)

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Protection and Security. Sarah Diesburg Operating Systems CS 3430

1/11/11. o Syllabus o Assignments o News o Lecture notes (also on Blackboard)

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Distributed Systems. Lecture 14: Security. 5 March,

2. INTRUDER DETECTION SYSTEMS

DO NOT OPEN UNTIL INSTRUCTED

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Hacking Forensics Investigator

Management Information Systems (MMBA 6110-SP) Research Paper: Internet Security. Michael S. Pallos April 3, 2002

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Raj Jain. Washington University in St. Louis

Whitepaper on AuthShield Two Factor Authentication with SAP

Chapter 11: It s a Network. Introduction to Networking

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

Last time. Trusted Operating System Design. Security in Networks. Security Features Trusted Computing Base Least Privilege in Popular OSs Assurance

Home Computer and Internet User Security

GCIH. GIAC Certified Incident Handler.

Principles of ICT Systems and Data Security

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

COMPUTER NETWORK SECURITY

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Bank Infrastructure - Video - 1

Computer Security Fall 2006 Joseph/Tygar MT 3 Solutions

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Certified Ethical Hacker

Security, Privacy and Authentication. Michael Power Gowling Lafleur Henderson LLP

CHAPTER 8 SECURING INFORMATION SYSTEMS

Computer Security: Principles and Practice

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Lesson-1 Computer Security

CSC 574 Computer and Network Security. TCP/IP Security

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

CSE 565 Computer Security Fall 2018

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CEH: CERTIFIED ETHICAL HACKER v9

Full file at

CompTIA Security+(2008 Edition) Exam

Hackveda Training - Ethical Hacking, Networking & Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

ISC2 EXAM - SSCP. Systems Security Certified Practitioner. Buy Full Product.

Transcription:

Security and Authentication

Authentication and Security A major problem with computer communication Trust Who is sending you those bits What they allow to do in your system 2

Authentication In distributed systems, services are rendered in response to incoming messages. It is important that the server know for sure who the client is! The simple solution is to send the user name and password with every request 3

Kerberos Authentication in Distributed Systems 4

Kerberos History Developed at MIT in early 1980 s Computing shift from mainframes to workstations Pools of distributed workstations connected to servers Concept of Network Credentials Two commercial and non-compatible versions V4 and V5 Principles and systems are relevant until today 5

Kerberos Authentication service, based on a secure authentication server and on encryption The server knows all passwords, but they are never transmitted across the network Passwords are used to generate encryption keys. 6

Kerberos Environment 7

Kerberos Environment Separation between two actions: Authentication logging into the network Communication holding a session between two parties 8

Kerberos Architecture 9

Kerberos Protocol The client workstation where the user is trying to log in sends the user name U to the server. The Kerberos server does the following: It looks up the user s password p, and uses a one-way function to create an encryption key Kp from it. It generates a new session key Ks for this login session. It bundles the session key with the user name: {U,Ks}. 10

Kerberos Protocol (cont.) It uses its own secret encryption key Kk to encrypt this. It bundles the session key with the created unforgeable ticket, creating {Ks, {U,Ks}Kk}. Finally, the whole thing is encrypted using the userkey that was generated from the user s password, leading to {Ks, {U,Ks}Kk}Kp. This is sent back to the client. 11

Kerberos Protocol The client does the following steps: It prompts the user for his password p, immediately computes Kp, and erases the password. Using Kp, the client decrypts the message it got from the server, and obtains Ks and {U,Ks}Kk. It erases the user key Kp. 12

Now What? Now, the client can send authenticated requests to the Kerberos server Each request is composed of two parts: The request itself, R, encrypted using Ks, The unforgeable ticket. The server decrypts the ticket using its secret key Kk, and finds U and Ks 13

But An eavesdropper can copy the whole request message and retransmit it The Kerberos server does not provide any real services. All it does is to provide keys for other servers. 14

Finally Kerberos will send the allocated key Kf to the client encrypted by Ks, and also send it to the file server using Kb The client will then be able to use Kf to convince the file server of its identity perform operations on files 15

Introduction to Security Based on Slides by Shlomo Kipnis, Introduction to Security Course 16

What is Security? Making sure that bad things do not happen Reducing the chances that bad things will happen Lowering the impact of bad things Providing means to recover from bad things 17

Security Challenges Securing a variety of different systems Securing interfaces between different systems Different security goals and needs Attackers seek weakest link in the system Security people must protect all links in the system Maintaining system usability Keeping security costs under control 18

Threats & Attacks Unauthorized access Denial of service Computer viruses Trojan horses Information loss Data leaks Data manipulation Data theft Data destruction Program manipulation 19

Eavesdropping and Packet Sniffing Description: Acquiring information without changing it Means: Packet sniffers, routers, gateways, capturing and filtering out packets Threats: Sniffing can be used to catch various information sent over the network Login + Password Credit card numbers E-mails and other messages Traffic analysis 20

Snooping Description: Acquiring information without modifying it Means: Browsing documents on disk or main memory Using legitimate privileges (insiders) Hacking into a system (outsiders) Stealing laptops Monitoring keyboard strokes Observing timing information (covert channels) Threats: Obtaining sensitive information (files with credit card numbers) Discovering passwords, secret keys, etc. 21

Tampering Description: Modifying or destroying stored data Means: Insiders misusing privileges or outsiders breaking into system Threats: Change records school grades, prison records, tax payers debts (NY $13 million property tax fraud) Erase audit trails (by hacker) Plant Trojan-horses for password gaining, and other uses 22

Spoofing Description: Impersonating other users or computers to obtain privileges Means: Account stealing, password guessing, social engineering IP spoofing: E-mail forging, false IP From address, hijacking IP connections Threats: Forged messages ( exam is cancelled ) Denial of Service (IP attacks, SYN attacks, Ping-of-Death) 23

Jamming Description: Disabling a system or service Means: Engaging host in numerous (legitimate) activities until exhausting its resources; spoofing return addresses to avoid tracing Threats: Consume all resources on the attacked machines, e.g., memory (SYN attack), disk (E-mail attack) Exploit bug to shut down hosts (ping-of-death) 24

Code Injection Description: Injecting malicious code to execute on host with high privileges and infecting other hosts Means: Virus: attached to executable, spread through infected floppy disks, E-mail attachments, macros Worm: replicate over the Internet Threats: Everything 25

Methods 26

Exploiting Flaws Exploit vulnerabilities in software to penetrate systems Buffer overflow (e.g., finger, Internet Worm, Web Site apps) Mobile code security flaws (Java, ActiveX) Knowledge spreads faster than remedy Hacker bulletins Advisories: Flaws/fixes repositories, e.g., CERT Publicly available software kits to detect known vulnerabilities, e.g., SATAN, ISS But they are not always followed readily, and are often used to the advantage of hackers Publicly available hacker kits on the net, e.g., RootKit (Unix) 27

Password and Key Cracking Guessing: family member names, phone numbers, etc. Dictionary Attack: systematic search Crack: dictionary attack extended with common patterns crack is now employed by sys-admins and the passwd program Exhaustive search: Crypt-analysis tools evolve continually The Internet provides a massively parallel computing resource Crypt-analysis, bad generators, timing analysis Smart-card cracking via fault injection 28

Social Engineering Spoofing a real system : Login screen Phone numbers ATM story Spoofing a service : Stealing credit card numbers and PINs Stealing passwords Agent-in-the-Middle Attacks Special print of newspaper Router, gateway, bulletin boards, etc. 29

Buffer Overflow Based On Slides by Tomer Harpaz Advanced OS seminar 30

Buffer Overflows Common Stack or heap Overwriting control-data or sensitive data

Memory Organization 0xffff 0x0000

Memory Organization (cont.) Memory addresses

Stack Buffer Overflow

Stack Buffer Overflow (cont.)

Solutions Os level Exec shield Address space layout randomization Etc.. Programmer level fgets (not gets) strncpy (not strcpy) Etc 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback