CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Similar documents
CSC 474 Network Security. Authentication. Identification

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

CSCI 667: Concepts of Computer Security

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CSC 405 Introduction to Computer Security

CNT4406/5412 Network Security

Authentication Objectives People Authentication I

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CSE 565 Computer Security Fall 2018

Lecture 3 - Passwords and Authentication

User Authentication. Modified By: Dr. Ramzi Saifan

Lecture 3 - Passwords and Authentication

User Authentication. Modified By: Dr. Ramzi Saifan

HOST Authentication Overview ECE 525

User Authentication Protocols

5. Authentication Contents

Lecture 9 User Authentication

In this unit we are continuing our discussion of IT security measures.

Computer Security: Principles and Practice

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

Passwords. EJ Jung. slide 1

User Authentication Protocols Week 7

COMPUTER NETWORK SECURITY

CS System Security Mid-Semester Review

Chapter 3: User Authentication

Password. authentication through passwords

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Web Security, Summer Term 2012

Web Security, Summer Term 2012

HY-457 Information Systems Security

CS530 Authentication

Computer Security 3/20/18

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

CIS 6930/4930 Computer and Network Security. Final exam review

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Authentication Technology Alternatives. Mark G. McGovern Chief Technologist Smart Cards, Crypto, Stego, PKI Lockheed Martin

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Online Threats. This include human using them!

Unit-VI. User Authentication Mechanisms.

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Identification Schemes

Syllabus: The syllabus is broadly structured as follows:

Information Security & Privacy

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Authentication Methods

===============================================================================

Authentication. Chapter 2

Intruders, Human Identification and Authentication, Web Authentication

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Access Controls. CISSP Guide to Security Essentials Chapter 2

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Information Security CS 526

Network Security and Cryptography. December Sample Exam Marking Scheme

Security Flaws of Cheng et al. s Biometric-based Remote User Authentication Scheme Using Quadratic Residues

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 19

Authentication CS 136 Computer Security Peter Reiher January 22, 2008

MODULE NO.28: Password Cracking

Security Handshake Pitfalls

Lecture 14 Passwords and Authentication

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Lecture Notes for Chapter 3 System Security

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

Information Security CS 526

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Integrated Access Management Solutions. Access Televentures

Security Handshake Pitfalls

Identification and Authentication

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 13

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

CPSC 467b: Cryptography and Computer Security

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

ID protocols. Overview. Dan Boneh

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 9. Authentication & Key Distribution

CSC 474/574 Information Systems Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Computer Security 4/12/19

Security Handshake Pitfalls

Authentication Protocols. Outline. Who Is Authenticated?

CS 161 Computer Security

Overview. Terminology. Password Storage

Security+ SY0-501 Study Guide Table of Contents

Rethinking Authentication. Steven M. Bellovin

Authentication System

Linux Network Administration

Stuart Hall ICTN /10/17 Advantages and Drawbacks to Using Biometric Authentication

CS System Security 2nd-Half Semester Review

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

AIT 682: Network and Systems Security

Network Security and Cryptography. 2 September Marking Scheme

Transcription:

CIS 6930/4930 Computer and Network Security Topic 6. Authentication 1

Authentication Authentication is the process of reliably verifying certain information. Examples User authentication Allow a user to prove his/her identity to another entity (e.g., a system, a device). Message authentication Verify that a message has not been altered without proper authorization. 2

Authentication Mechanisms Password-based authentication Use a secret quantity (the password) that the prover states to prove he/she knows it. Threat: password guessing/dictionary attack Alice I m Alice, the password is fiddlesticks Computer System 3

Authentication Mechanisms (Cont d) Address-based authentication Assume the identity of the source can be inferred based on the network address from which packets arrive. Threat Spoof of network address Not authentication of source addresses 4

Authentication Mechanisms (Cont d) Cryptographic authentication protocols Basic idea: A prover proves some information by performing a cryptographic operation on a quantity that the verifier supplies. Usually reduced to the knowledge of a secret value A symmetric key The private key of a public/private key pair 5

CIS 6930/4930 Computer and Network Security Topic 6.1 User Authentication 6

Authentication and Identity What is identity? which characteristics uniquely identifies a person? do we care if identity is unique? Authentication: verify a user s identity a supplicant wishes to be authenticated a verifier performs the authentication 7

User Authentication Can Be Based On What the user knows passwords, personal information, a key, a credit card number, etc. Where the user is or can be reached email address, IP address, Physical characteristics of the user fingerprints, voiceprint, signature dynamics, iris pattern, DNA, etc. What the user has in their possession smart card, (physical) key, USB token, 8

Password Authentication 9

Password-Based User Authentication User demonstrates knowledge of a secret value to authenticate most common method of user authentication response challenge 10

Some Issues for Password Systems A password should be easy to remember but hard to guess that s difficult to achieve! Some questions what makes a good password? where is the password stored, and in what form? how is knowledge of the password verified? 11

Password Storage Storing unencrypted passwords in a file is high risk compromising the file system compromises all the stored passwords Better idea: use the password to compute a oneway function (e.g., a hash, an encryption), and store the output of the one-way function When a user inputs the requested password 1. compute its one-way function 2. compare with the stored value 12

Attacks on Passwords Suppose passwords can be from 1 to 9 characters in length Possible choices for passwords = 26 1 + 26 2 +... + 26 9 = 5 * 10 12 At the rate of 1 password per millisecond, it will take on the order of 150 years to test all passwords Unfortunately, not all passwords are equally likely to be used 13

Example of a Study In a sample of over 3000 passwords: 500 were easily guessed versions of dictionary words or first name / last name 86% of passwords were easily guessed 14

Common Password Choices Pet names Common names Common words Dates Variations of above (backwards, append a few digits, etc.) 15

Attack 1 (online): Dictionary Attacks Create a dictionary of common words and names and their simple transformations Use these to guess the password Eagle Wine Rose Eagle Yes! Dictionary 16

Dictionary Attacks (Cont d) Attack 2 (offline): Usually F is public and so is the password file Compute F(word) for each word in the dictionary A match gives the password Eagle Wine Rose Dictionary F(Eagle)=XkPT TdWx% XkPT KYEN Password file 17

Dictionary Attacks (Cont d) Attack 3 (offline): To speed up search, pre-compute F(dictionary) A simple look up gives the password Eagle Wine Rose F XkPT %$DVC #AED! Look up TdWx% XkPT KYEN Dictionary Pre-computed Dictionary Password file 18

Password Salt To make the dictionary attack a bit more difficult Salt is a n-bit number between 0 and 2 n Derived from, for example, the system clock and the process identifier 19

Password Salt (Cont d) Storing the passwords Password + Salt F F(Password + Salt) Password file Username, Salt, F(Password + Salt) 20

Password Salt (Cont d) Verifying the passwords Password + Salt F Fetch Salt according to username F(Password + Salt) Compare Password file Username, Salt, F(Password + Salt) 21

Does Password Salt Help? Attack 1? Without Salt With Salt Eagle Wine Rose A word Yes/No Dictionary 22

Does Password Salt Help? Attack 2? Without Salt With Salt Eagle Wine Rose Dictionary F TdWx% XkPT KYEN Password file 23

Does Password Salt Help? Attack 3? Without Salt With Salt Eagle Wine F %$DVC XkPT Look up TdWx% XkPT Y Rose #AED! KYEN Dictionary Pre-computed Dictionary Password file 24

Password Guidelines For Users 1.Initial passwords are system-generated, have to be changed by user on first login 2.User must change passwords periodically 3.Passwords vulnerable to a dictionary attack are rejected 4.User should not use same password on multiple sites 25

Other Password Attacks Technical eavesdropping on traffic that may contain unencrypted passwords Trojan horse password entry programs Social careless password handling or sharing phishing 26

The S/Key Protocol 27

Using Disposable Passwords Simple idea: generate a long list of passwords, use each only one time attacker gains little/no advantage by eavesdropping on password protocol, or cracking one password Disadvantages storage overhead users would have to memorize lots of passwords! Alternative: the S/Key protocol based on use of one-way (e.g. hash) function 28

S/Key Password Generation 1. Alice selects a password x 2. Alice specifies n, the number of passwords to generate 3. Alice s computer then generates a sequence of passwords x 1 = H(x) x 2 = H(x 1 ) x n = H(x n-1 ) x x (Password) H H H H x1 x2 x3 x4 29

Generation (cont d) 4. Alice communicates (securely) to a server the last value in the sequence: x n Key feature: no one knowing x i can easily find an x i-1 such that H(x i-1 ) = x i only Alice possesses that information 30

Authentication Using S/Key Assuming server is in possession of x i Server i Alice x i-1 verifies H(x i-1 ) = x i Is dictionary attack still possible? 31

Limitations Value of n limits number of passwords need to periodically regenerate a new chain of passwords Does not authenticate server! Example attack: 1. real server sends i to fake server, which is pretending to be Alice 2. fake server sends i to Alice, who responds with x i-1 3. fake server then presents x i-1 to real server 32

Biometrics Relies upon physical characteristics of people to authenticate them Desired properties 1. uniquely identifying 2. very difficult to forge / mimic 3. highly accurate 4. easy to scan or collect 5. fast to measure / compare 6. inexpensive to implement 33

Assessment Convenient for users (e.g., you always have your fingerprints, never have to remember them), but potentially troubling sacrifice of private information no technique yet has all the desired properties 34

Assessment (cont d) 35

Example Biometric Technologies Signature / penmanship Fingerprints DNA Palm geometry Retina scan Iris scan Face recognition Voice recognition 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback