Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

Published byBonnie Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What."— Presentation transcript:

1 1 Chapter 11: Authentication Basics Passwords

2 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What entity knows (eg. Password, SSN) –What entity has (eg. badge, smart card) –What entity is (eg. fingerprints, biometrics) –Where entity is (eg. In front of a particular terminal)

3 3 An example: –You know some password –The computer also knows it (could be the password itself or some post computation result) –A function maps your password to the stored information –Examine whether they match –You can also change the password

4 4 Authentication System Authentication system contains: (A, C, F, L, S) –A: information that proves identity (what you know) –C: information stored on computer and used to validate authentication information (what computer knows) –F: complementation function; f : A  C (function maps your knowledge to stored information) –L: functions that prove identity: A x C  {T, F} –S: functions enabling entity to create, alter information in A or C

5 5 Example Password system, with passwords stored in clear text –A: set of strings making up passwords All 8 character strings –C = A All 8 character strings –F: Mapping an input password to itself –L: single equality test function { eq } Input ?= stored password –S: function to set/change password

6 6 Passwords Based on what people know Sequence of characters –Examples: 10 digits, a string of letters, etc. –Generated randomly, by user, by computer with user input Algorithms –Examples: challenge-response, one-time passwords

7 7 Storage Password stored in cleartext –If password file compromised, all passwords revealed Encipher file –Need to have decipherment, encipherment keys in memory –If attackers get a hold of the keys, reduces to previous problem Store one-way hash of password –If file is read, attacker must still guess passwords or invert the hash

8 8 Salting Goal: mitigate dictionary attacks Problem: Say all passwords are 8-char long, the attacker can pre-compute hash values of all 8-char strings. Later when she/he gets the hash file, she/he can easily determine the string Method: –Introduce additional information so that it is very difficult for attackers to conduct pre-computation –Still very efficient for the system to authenticate a user –Example Use salt as first part of input to hash function

9 9 Anatomy of Attacking Goal: locate a  A such that: –For some f  F, f(a) = c  C –c is associated with entity Two ways to determine whether a meets these requirements: –Approach 1: if attacker knows function f, she/he can try as above E.g., attacker gets the file containing hashed passwords, she/he can start to hash all possible passwords –Approach 2: try to login by guessing a password

10 10 Preventing Attacks How to prevent this: –Hide one of a, f, or c Prevents attack from above Example: –You do not know the function f –You cannot get c –Block access to all l  L or result of l(a) Restrict the number of trying you can conduct in every unit time Prevent attacker from knowing if guess succeeded Prevent any logins to an account from a network

11 11 Dictionary Attacks Trial-and-error from a list of potential passwords –Off-line: know f and c, and repeatedly try different guesses g  A until the list is done or passwords guessed Examples: pre-compute the hash of possible password –On-line: have access to functions in L and try guesses g until some l(g) succeeds Examples: trying to log in by guessing a password

12 12 Guessing probability P: probability of guessing a password, –≥ tried password / total number of password Put it in a formula: –G: number of guesses tried in 1 time unit –T: number of time units –N: number of possible passwords (|A|) –Then P ≥ TG/N

13 13 Example Goal –Passwords drawn from a 96-char alphabet –Can test 10 4 guesses per second –Probability of a success to be 0.5 over a 365 day period –What is minimum password length? Solution –P >= GT/N GT/N = 0.5, G= 10 4, T=60 * 60 * 24 * 365, N= 96^length –N ≥ TG/P = (365  24  60  60)  10 4 /0.5 = 6.31  10 11 –Choose length such that 96^length ≥ N –So length ≥ 6, meaning passwords must be at least 6 chars long

14 14 Pronounceable Passwords Generate phonemes randomly –Phoneme is unit of sound, something easy to pronounce –Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not –Remember the names of brands: Mazda, Toshiba, etc Problem: too few –For example, there are about 440 phonemes –If every phoneme contains 3 characters, then a 9-char password contains only 3 phonemes –Attacker needs to search only 440^3 = 85 million passwd Solution: key crunching –Run long key through hash function and convert to printable sequence –Use this sequence as password

15 15 Guessing Through L Cannot prevent these –Otherwise, legitimate users cannot log in Make them slow –Backoff –Disconnection –Disabling Be very careful with administrative accounts! Can be used to conduct DoS attacks –Jailing Allow in, but restrict activities

16 16 Password Aging Force users to change passwords after some time has expired –How do you force users not to re-use passwords? Record previous passwords Block changes for a period of time –Give users time to think of good passwords Don’t force them to change before they can log in Warn them of expiration days in advance

17 17

18 18 Key management in some UNIX systems –don't use the shadow passwordfiles –the passwords are stored encrypted in the file /etc/passwd –Format of the stored record Account; coded password data; homedir; Gigawalt; fURfuu4.4hY0U; /home/gigawalt

19 19

20 20 It becomes more difficult for attackers to try all possible password offline If an attacker gets the /etc/passwd file and knows all salt, then it is still ok to him/her Make the salt private: stored in a file with restricted access permissions Challenges –Keep the salt private –Maintain salt for users

21 21 Key Points Authentication is not cryptography –You have to consider system components Passwords are important –They provide a basis for most forms of authentication Protocols are important –They can make attacks harder Authentication methods can be combined

Download ppt "1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What."

Similar presentations

Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Chapter 12: Authentication

Chapter 12: Authentication
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
1 Authentication CS461/ECE422 Fall 2010. 2 Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography

1 Authentication CS461/ECE422 Fall Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

Similar presentations

Ads by Google