We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byRyder Kingdom
Modified about 1 year ago
1 Authentication with Passwords Prof. Ravi Sandhu Executive Director and Endowed Chair February 1, © Ravi Sandhu World-Leading Research with Real-World Impact! CS 6393 Lecture 3
© Ravi Sandhu 2 World-Leading Research with Real-World Impact! User Authentication User Something you know e.g., passwords Something you have e.g., token, smartcard Something you are e.g., fingerprint Single factor Multi factor Primary Secondary Weak Strong Single sign on Reduced sign on Reset Revocation
© Ravi Sandhu 3 World-Leading Research with Real-World Impact! Kill the Password
Many things have changed beyond recognition in the past 20 years, but passwords have advanced little. Arguably, the Internet could not have grown to its current size and influence without them. Repeated and sustained effort has failed to uncover a silver- bullet replacement for passwords. It’s time to admit that this is unlikely to change. In the absence of a silver bullet, we can’t escape the messy work of tradeoffs. We assert that passwords are the best fit for many (but alone, not the highest level of) authentication needs. We might say that passwords are the worst possible authentication system, except for all the other systems. © Ravi Sandhu 4 World-Leading Research with Real-World Impact! Herley-Oorschot 2012 Quotes
Ending the Belief that Passwords Are Dead Understanding Strength and Attack Resistance Policies and Support Tools Password aging policies. Realistic password guidance. Password managers. Prioritizing Competing Requirements © Ravi Sandhu 5 World-Leading Research with Real-World Impact! Herley-Oorschot Research Agenda “Although passwords might not be viewed as the “rocket science” of security research, their scale of deployment is such that any improvement in their usability would be hard to equal for impact.”
Although we lack the data to attach likelihoods to the individual pie-chart threats, we can reasonably conjecture that keystroke logging harvests more passwords than phishing and phishing harvests more than online brute-force attacks. © Ravi Sandhu 6 World-Leading Research with Real-World Impact! Herley-Oorschot Concluding Quote
Although we lack the data to attach likelihoods to the individual pie-chart threats, we can reasonably conjecture that keystroke logging harvests more passwords than phishing and phishing harvests more than online brute-force attacks. © Ravi Sandhu 7 World-Leading Research with Real-World Impact! Herley-Oorschot Concluding Quote
Evolution of UNIX password mechanism Store passwords in a highly protected file Single point of total failure Easily copied by privileged users Stored in plaintext on backups Protection mechanisms are imperfect Store hashed passwords © Ravi Sandhu 8 World-Leading Research with Real-World Impact! Morris-Thomson 1979 Encrypt Plaintext = Fixed Constant Key = Password Hashed Password
Evolution of UNIX password mechanism Store hashed passwords Invention of dictionary attack rather than inversion attack In the initial enthusiasm hashed passwords were put in a world readable file!! © Ravi Sandhu 9 World-Leading Research with Real-World Impact! Morris-Thomson 1979 Encrypt Plaintext = Fixed Constant Key = Password Hashed Password
DoD Green Book requirement 1985: The goal is to resist a year’s worth of dictionary attacks with a cracking probability of 10 –6 (or 10 –20 for sensitive systems). Cheswick Table 2, page 42 Trying to meet this requirement by changing passwords regularly is rather hopeless © Ravi Sandhu 10 World-Leading Research with Real-World Impact! Cheswick 2013
“We demonstrate that as long as passwords remain human-memorable, they are vulnerable to “smart- dictionary” attacks even when the space of potential passwords is large.” It’s not just human-memorable it is also human- enterable. © Ravi Sandhu 11 World-Leading Research with Real-World Impact! Narayanan-Shmatikov 2005
EMERGING TOPICS IN DATA, APPLICATION AND INFRASTRUCTURE PROTECTION Taher Elgamal ITU
CHAPTER 4 Protection in General-Purpose Operating Systems (c) by Syed Ardi Syed Yahya Kamal, UTM
1 Rethinking Password Strategies Ravi Sandhu Chief Scientist
Authentication: the problem that will not go away Prof. Ravi Sandhu Chief Scientist Protecting Online Identity.
Common types of online attacks Dr.Talal Alkharobi.
Secure System Design and Access Control Nick Feamster CS 6262 Spring 2009.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
1 PANEL Solving the Access Control Puzzle: Finding the Pieces and Putting Them Together Ravi Sandhu Executive Director Endowed Professor June 2010
Md. Kamrul Hasan Assistant Professor and Chairman Computer and Communication Engineering Dept. Network Security.
Manchester Computing Cross Council ICT Conference For e-Science & GRID May 2004 End to End Services to support an e-Science Community Professor M.
1 IETF Security Tutorial Radia Perlman Intel Labs July 2010
Best Practices for Implementing An Information Solution By Even Brande.
GENI Distributed Services Preliminary Requirements and Design Tom Anderson and Amin Vahdat (co-chairs) David Andersen, Mic Bowman, Frans Kaashoek, Arvind.
1 Identification Who are you? How do I know you are who you say you are?
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.
Distributed Computing Dr. Eng. Ahmed Moustafa Elmahalawy Computer Science and Engineering Department.
Security Threat Analysis CS3517 Distributed Systems and Security Lecture 17.
Company LOGO Leadership Study 2 Growing Leadership.
Digital Continuity: An introduction Digital continuity… The ability to use your information in the way you need for as long as you need.
SECURITY AWARENESS. The Importance of Security Awareness Training Security Awareness Training provides the knowledge to protect information systems and.
Roadmap Brent Halliburton
Socioeconomics knowledge cafe Wrap-up. Agreed the list of socioeconomic themes/issues that have dependencies with RWI research priorities Standardization.
Framework for the Assessment of Vulnerable Children and Their Families Helen Buckley ACWA Seminar 31 st January 2008.
1 The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It? Ravi Sandhu Executive Director and Endowed Professor February 21,
Planning Carefully Promoting excellent outcomes for the children of Barnet Jo Fox BSW Consultant Social Worker.
Brief-out: Isolation Working Group Topic discussion leader: Ken Birman.
Multi-factor Authentication Methods Taxonomy Abbie Barbir.
The Complex Links Between Skills, Productivity and Workplace Configuration Evidence and thinking from the UK Ewart Keep.
INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.
© 2016 SlidePlayer.com Inc. All rights reserved.