Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Auditing Part Deux EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006.

Similar presentations


Presentation on theme: "Authentication and Auditing Part Deux EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006."— Presentation transcript:

1 Authentication and Auditing Part Deux EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006

2 2 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

3 3 Authorization 101 – A Recap Most common form of verification is the password Common attacks include – Social Engineering – Dictionary – Smart Dictionary (DNA System) – Brute Force – Replay – Offline Guessing – Many, many more

4 4 Authorization 101 – A Recap Countermeasures – Password complexity requirements – Password aging – Password Hashing, etc.

5 5 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

6 6 Web Authentication Case Study Taking all the techniques we have learned, we will design a secure Web authentication mechanism for a self registering system Covering the following parts: – Self registration form – Credential storage – Login form and password reset

7 7 Case Study – Registration Form User selects a username, typically address is used for global uniqueness User selects a password First, what limits a passwords complexity? – Password memorability study The setup – 300 students – 3 different groups (control, random, and pass phrase) – Attempted to crack using common attacks

8 8 Case Study – Registration Form Password memorability study results

9 9 Case Study – Registration Form Summing up the password memorability study – Confirmed Myths Users have trouble memorizing random passwords Mnemonic passwords are harder to crack than conventional – Disproved Myths Random passwords are harder to crack than mnemonic Mnemonic passwords are harder to remember than conventional

10 10 Case Study – Registration Form So what does this mean for our registration form? – Rather then just instruct users the complexity requirements instruct them HOW to choose a good password. (The best balance between complexity and memorability is mnemonic). – As expected password size does matter – at least 8 – Character variation matters – force both numbers, symbols, and characters

11 11 Case Study – Registration Form What else can we do to help a user choose a good password? – Improving password selection through the user interface design – The typical Password Selection Mechanism (PSM)

12 12 Case Study – Registration Form The problem, current PSMs do not help the user choose good passwords, they only allow them to Some myths – Users choose bad passwords because it is all they can memorize – Users choose bad passwords because they do not care about security So why do users choose bad passwords? – They just do not understand what makes a password strong vs. weak

13 13 Case Study – Registration Form How do we help users choose good passwords? – Feedback mechanisms

14 14 Case Study – Registration Form Finally, we want to make sure people cannot easily create bots to create thousands of accounts. How can this be accomplished? CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) Most common type:

15 15 Case Study – Registration Form Real World Examples: - Can you spot the good/bad practices of the following registration forms? - Google Google - Yahoo! Yahoo! - Windows Live Windows Live

16 16 Case Study – Credential Storage How should credentials be stored? – Passwords should be salted and hashed Password Salting – Appending randomly generated bits to a password before hashing – Used for one main reason – incase 2 people choose the same password the hash will still be different

17 17 Case Study – Credential Storage Hashing Benefits – Fast – Secure – Removes any indication of original password length

18 18 Case Study – Login Form Basic components: – User name field – Password field – Forgot password/password reset mechanism When an invalid password or username is entered only show a generic message (Example)(Example) Lock the user’s account after x password attempts Require the user change their password after x amount of time

19 19 Case Study – Forgot/Reset Password What is a secure way to allow a user to recover/reset their password? – Recall passwords are hashed Common approach 1. User is asked to select a security question 2. User selects to reset their password 3. is sent to the specified account with time sensitive URL 4. When visited the URL presents the user with their password reset question 5. User answers question and is allowed to reset password

20 20 Case Study Summary Urge users to use mnemonic passwords as they are easily memorized and as secure as random passwords Use a feedback mechanism to indicate to the user when they have chose a strong password Provide clear instructions to guide the user to select secure passwords Use CAPTCHA to help reduce automated registrations (both visual and audio)

21 21 Case Study Summary Salt and hash passwords for storage Allow users to reset their passwords when desired using a multi-step process If invalid credentials are entered display a generic message

22 22 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

23 23 Recent Techniques and Challenges What comes to mind?

24 24 Recent Techniques and Challenges ING DIRECT Image Key – In addition to passwords users are asked to select an image from a set and enter a phrase – Each time they log in they will be asked to enter the phrase

25 25 Recent Techniques and Challenges InCard Technologies – New password verification technique – Card is capable of generating one time passwords that can validate an online purchase

26 26 Recent Techniques and Challenges RSA Hosted SecurID – Allow customers to pay to issue RSA tokens and allow the use of OTP (one-time passwords) on their site – Largest user so far is E*Trade Financial

27 27 Recent Techniques and Challenges OpenID – Single Sign On for the Web – How it works Site places login form on page, only contains single field asking for OpenID identifier You are then redirected to your OpenID provider to enter whatever credentials necessary Once authenticated you are then sent back to the original site Also allows the account information to be exchanged

28 28 Recent Techniques and Challenges Phishing – Using social engineering to trick users into providing personal information – Common method Sending that looks like it came from a business asks users to verify their account information, update their records, etc. User clicks link on and is really taken to phishing site User mistakenly enters their information

29 29 Recent Techniques and Challenges Phishing Continued

30 30 Recent Techniques and Challenges Phishing continued – Presents an interesting problem for sites. – They now have to “authenticate” themselves to users. – In other words, how do you prove to users that it is really an authentic site they are on?

31 31 Current Techniques and Challenges Phishing continued – Yahoo! sign-in seal Allows users to customize their login page Stores image information in Flash shared object (a cookie for Flash)

32 32 Recent Techniques and Challenges Summary – Recently there have been a lot of money invested in developing new authentication techniques – Phishing causes the majority of issues – It is predicted that by the end of % of financial institutions will use something stronger than a password. However only 7% will go as far as to hand out hardware tokens – By the end of 2007 half of today’s stronger authentication methods will not be strong enough anymore – The password is not dead, it will merely be used as one phase of multiple phase authentication

33 33 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

34 34 Biometrics As we learned last class, the main types of biometric authentication is: – Fingerprints – Voices – Eyes – Faces – Keystrokes

35 35 Biometrics

36 36 Biometrics The Electronic Passport – One of the first major public implementations of biometrics – Same as a regular passport except it contains a contactless chip in the back cover – Chip stores same information as on the photo page but also includes a digital copy of the image – The image can then be used for facial recognition at international borders

37 37 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

38 38 Auditing 101 – A Recap Why audit? – To trace access to sensitive or important information as well as access to the computers themselves Some terminology – Logging Recording events or statistics to provide information about system use and performance – Auditing Analyzing the log records to present the information in a clear and understandable manner

39 39 Auditing 101 – A Recap Two problems related to auditing – What information to log? – Which of that information gather should be audited? What makes up an auditing system? – Logger – Analyzer – Notifier

40 40 Auditing 101 – A Recap The Logger – Records the information – Can be binary, human-readable, or sent directly to an analysis mechanism The Analyzer – Takes the log as input and analyzes it – Results of analysis may lead to data being recorded or detection of a problem

41 41 Auditing 101 – A Recap The Notifier – Takes the results of the analysis – Informs the analyst and other entities of the results – An action may then be taken by the notified entities

42 42 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

43 43 Designing an Auditing System Build to detect violations in the security policy Log meaningful information Log sanitization – Users must only be able to view information in the logs that they have access to – 2 types of sanitizing logs: User privacy External viewing

44 44 Designing an Auditing System Sanitizing for user privacy: Sanitizing for external viewing: Logging SystemLogSanitizer Users Logging SystemSanitizerLog Users

45 45 Designing an Auditing System Two types of logs – Application Cannot connect Configuration file not found – System Utilize both types of logs to get a complete picture of what led up to a particular event

46 46 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

47 47 Auditing Mechanisms Secure Systems – Auditing is integrated with the system design and implementation – Typically provides a language or interface to configure what is monitored Nonsecure Systems – Record a lesser level of activity – Auditing is typically only used for purposes of accounting rather than security violations

48 48 Outline Authentication – Authentication 101 – A Recap – Web Authentication Case Study – Recent Techniques and Challenges – Biometrics Auditing – Auditing 101 – A Recap – Designing an Auditing System – Auditing Mechanisms – Audit Browsing Conclusion

49 49 Audit Browsing Purpose is to present logs in a single tool and indicate the associations between the disconnected log files Six Basic Browsing Techniques – Text Display – Hypertext Display – Relational database browsing – Replay – Graphing – Slicing

50 50 Conclusion Passwords are here to stay Passwords do not need to be weak to be able to be memorized Mnemonic passwords are as strong as random The typical user interface can be improved to allow users to choose stronger passwords Auditing is important component of a system Typically overlooked until needed but provides valuable information when needed

51 51 Questions?

52 52 References Biometrics, Wikipedia, Bishop, 2004, Introduction to Computer Security, Addison-Wesley, Boston, MA Chandra, A. and Calderon, T Challenges and constraints to the diffusion of biometrics in information systems. Commun. ACM 48, 12 (Dec. 2005), DOI= Conlan, R. M. and Tarasewich, P Improving interface designs to help users choose better passwords. In CHI '06 Extended Abstracts on Human Factors in Computing Systems (Montréal, Québec, Canada, April , 2006). CHI '06. ACM Press, New York, NY, DOI= RSA SecureID authentication, RSA Security, The U.S. Electronic Passport, U.S. Department of State, What is OpenID?, OpenID, Yan, J., Blackwell, A., and Grant, A Password memorabillity and security: empirical results. Security & Privacy Magazine, IEEE. 2 (5). pp


Download ppt "Authentication and Auditing Part Deux EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006."

Similar presentations


Ads by Google