Presentation is loading. Please wait.

Presentation is loading. Please wait.

INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal

Published byIra Beasley Modified over 7 years ago

Similar presentations

Presentation on theme: "INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal"— Presentation transcript:

1 INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal Waseem.iqbal@mcs.edu.pk

2 R EVIEW Classify each of the following as a violation of confidentiality, of integrity, of availability, or of some combination thereof. John copies Mary's homework. Paul crashes Linda's system. Carol changes the amount of Angelo's check from $100 to $1,000. Gina forges Roger's signature on a deed. Rhonda registers the domain name "AddisonWesley.com" and refuses to let the publishing house buy or use that domain name. Jonah obtains Peter's credit card number and has the credit card company cancel the card and replace it with another card bearing a different account number. Henry spoofs Julie's IP address to gain access to her computer.

3 R EVIEW Identify mechanisms for implementing the following. State what policy or policies they might be enforcing. A password changing program will reject passwords that are less than eight characters long or that are found in the dictionary. Only students in a computer science class will be given accounts on the department's computer system. The login program will disallow logins of any students who enter their passwords incorrectly three times. The permissions of the file containing Carol's homework will prevent Robert from cheating and copying it. When World Wide Web traffic climbs to more than 80% of the network's capacity, systems will disallow any further communications to or from Web servers. Annie, a systems analyst, will be able to detect a student using a program to scan her system for vulnerabilities. A program used to submit homework will turn itself off just after the due date.

4 USER IDENTIFICATION & AUTHENTICATION Is he/she a registered user at the system? (user identification) Can he/she prove who he/she is? (user authentication)

5 USERNAME AND PASSWORD Username : identification purpose Password : authentication purpose The mostly used approach to identification and authentication.

6 PROBLEMS WITH PASSWORDS Password guessing by attacker Password spoofing Compromise of system’s password file

7 GUESSING A PASSWORD Exhaustive search (Brute Force) : try all possible combinations of valid symbols, up to a certain length. Intelligent search : search through a restricted name space, e.g., names of friends and relatives, car registration number.

8 C OUNTERMEASURE : U SING T IME Maximize time needed to guess the password Anderson’s formula: – P probability of guessing a password in specified period of time – G number of guesses tested in 1 time unit – T number of time units – N number of possible passwords (| A |) – Then P ≥ TG / N

9 C OUNTERMEASURE : U SING T IME Example: Let Passwords be drawn from a 96-char alphabet. Assume 10 4 guesses can be tested per second. We wish the Probability of a success to be 0.5 over a 365 day period. What is minimum password length that will give us this probability? Solution – N ≥ TG / P = (365  24  60  60)  10 4 /0.5 = 6.31  10 11 – Choose s such that  s j =0 96 j ≥ N – So s ≥ 6, meaning passwords must be at least 6 chars long

10 DEFENSES BY USER Set a password Changing default password : delivered system has a default password. Password length : prevent exhaustive search Password format : mix upper and lower case symbols and numerical characters. Avoid obvious passwords : birth date, etc.

11 PASSWORD SECURITY BY SYSTEM Password checkers : The system checks passwords against some dictionary of ‘weak’ passwords. Password generation : Password generators producing random but pronounceable passwords. Password aging: In many systems an expiring date can be set, to force a user to change his password. Limit login attempts: The system can monitor unsuccessful login attempts and react by locking the user account completely or at least for a certain period of time. Inform user : After a successful login, the system can display the time of the last login and the number of failed attempts since then, to warn the user about recent attempted attacks.

12 THE PROBLEM Passwords of complex formats are hard to memorize. If you choose such one, you may have to write it down somewhere and hide it in your office. But this is also dangerous. Passwords of simple formats are easy to memorize, but do not offer good security. What if user follows all the security practices but forgets the password? Question: What do you do in practice?

13 PASSWORD SPOOFING ATTACKS Purpose of attack Password compromise Who is the attacker Anyone including a legitimate user. How to attack? An attacker runs a program that presents a fake login screen on some terminal or workstation. An unsuspecting user comes to this terminal and try to login. The ID and password are then stored. Execution is then handed over to the user, or login is aborted with a (fake) error message and the spoofing program terminates. Control is returned to the OS which now prompts the user with a genuine login request. The user tries again, succeeds on this second attempt and remains completely unaware that password has been compromised.

14 DEFENSE AGAINST PASSWORD SPOOFING ATTACKS Inform: Displaying the no. of failed logins may indicate to the user that such an attack happened. Trusted path: Guarantee that user communicates with the operating system and not with a spoofing program. How? Example: In Windows NT, ALT+CTRL+DEL, invokes the Windows NT operating system login screen. Always use it even you see a login screen!

15 OTHER CASES: EXAMPLE Information: Web browsers cache information that make it possible for users to scroll back to pages they have recently visited. Question: Does this cause any security problem?

16 EXAMPLE: ONLINE BANKING You enter your password on a web page, conduct your business, close the banking application, but forget to terminate the browser session. The next user can scroll back to the page with your password and login as you.

17 PASSWORD FILE User Identity Verification: The system compares the password entered by the user against a value stored in the password file. Claim: The password file must be protected. How to protect the file?

18 PROTECTION OF PASSWORD FILE Cryptographic Protection: Encrypt the password file. Question: Does it solve the problem? Answer: If the encrypted file is obtained, one may carry out an “offline dictionary attack”. Protection by operating system: Access control to the file enforced by the operating system. Better protection: A combination of cryptographic protection and access control, possibly with even further enhancements to slow down dictionary attacks.

19 PROTECTION OF PASSWORD FILE Question: How to encrypt a password file? Answer: One-way functions. One-way Functions: Given x, it is easy to compute f(x); but it is hard to find x given f(x). Example: f(x) = a x mod p Instead of storing password x, we store f(x) in the password file. When a user logs in and enters a password say x’ the system computes f(x’) and compares it with the stored f(x).

20 UNIX PASSWORD SCHEME: LOADING A NEW PASSWORD

21 UNIX PASSWORD SCHEME: VERIFYING A PASSWORD FILE

22 PROTECTION OF PASSWORD FILE Question: How to protect a password file by access control enforced by an operating system? Access control mechanisms in an operating system restrict access to files and other resources to users holding the appropriate privileges. Only privileged users can have write access to the password file. If read access is restricted to privileged users, then passwords can be stored unencrypted. If not, store passwords in encrypted form. Recent versions of Unix store encrypted passwords in a file that is not publicly accessible. Such files are called shadow password files. E.g. in HP-UX, /.secure/etc/passwd Windows NT stores encrypted passwords in binary format. Password salting Appending additional information to the password before encryption Store the salt with encrypted password. Two users having same password will have different entries in the encrypted password file. Slows down dictionary attacks

23 ALTERNATIVE APPROACHES TO USER IDENTIFICATION & AUTHENTICATION Something you know: Example: personal identification number (PIN) used with bank card. Something you hold : Example : a physical key opening a lock. Example : A card for accessing the office of the CS Department. A physical token can be lost or stolen. Who you are ? Biometrics: palm prints, finger prints, iris pattern, retina pattern, voice recognition, signature recognition What you do? Tasks specific to an individual Example: Signing on a special pad that measures writing speed and writing pressure. Example: Typing speed and intervals between key strokes. Where you are? Example: Login from a specific terminal. Mobile and Distributed Computing: Using GPS

24 OPERATION IN BIOMETRICS AUTHENTICATION UserTemplate Enrollment phase Initial Measurement Login Attempt Remeasure and match

25 PROBLEMS WITH BIOMETRICS AUTHENTICATION Initial measure of physical characters: What measure? How to measure? Authenticated: how good is a match required before a user is considered authenticated? Authentication by password gives a clear reject or accept but with biometrics a stored pattern will hardly ever match precisely with the taken measurements. Your face picture may vary from time to time due to weight change. So the very nature of biometrics requires measuring some property which may vary from time to time, and an algorithm must decide how much variation to allow.

26 ERROR RATES IN BIOMETRICS AUTHENTICATION An authentication system can have two kinds of errors: false positives: in which an unauthorized user is accepted; false negatives: in which an authorized user is rejected. Find the right balance between these two errors.

27 REFERENCE D. Gollmann: Computer Security, Chapter 2: Identification and Authentication

Download ppt "INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal"

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies

Access Control Methodologies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Information Security. Information security  All measures taken to prevent unauthorized use of electronic data –unauthorized use includes disclosure,

Information Security. Information security  All measures taken to prevent unauthorized use of electronic data –unauthorized use includes disclosure,
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.

10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

Similar presentations

Ads by Google