Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 522 Identification and Authentication. CSCE 522 - Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

Published byBartholomew Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 522 Identification and Authentication. CSCE 522 - Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction."— Presentation transcript:

1 CSCE 522 Identification and Authentication

2 CSCE 522 - Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 16, Identification and Authentication, pages 180-194 http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf Recommended: – Smart Card Alliance, http://www.smartcardalliance.org/http://www.smartcardalliance.org/ – Securing Digital Identities & Information, strong authentication http://www.entrust.com/authentication/index.htmhttp://www.entrust.com/authentication/index.htm – Certificate Authority GlobalSign Loses Critical Data to ComodoHacker, http://techie-buzz.com/tech-news/globalsign-attack-certificate-authority- data-leak.html, Sept 8, 2011 http://techie-buzz.com/tech-news/globalsign-attack-certificate-authority- data-leak.html Reading for next lecture: – Pfleeger: Ch. 4.3 and 4.4

3 Identification Establishes the identity of an individual/system/ap- plication/etc. Proof of identity: password, driver’s license, Id card, etc. CSCE 522 - Farkas3

4 4 Authentication Allows an entity (a user or a system) to prove its identity within a context, e.g., computer system Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

5 CSCE 522 - Farkas5 Authentication Information Must be securely maintained by the system.

6 CSCE 522 - Farkas6 Elements of Authentication Person/group/code/system: to be authenticated Distinguishing characteristics: differentiates the entities to be authenticated Proprietor/system owner/administrator: responsible for the system Authentication mechanism: verify the distinguishing characteristics Access control mechanism: grant privileges upon successful authentication

7 CSCE 522 - Farkas7 Authentication Requirements Network must ensure – Data exchange is established with addressed peer entity not with an entity that masquerades or replays previous messages Network must ensure data source is the one claimed Authentication generally follows identification – Establish validity of claimed identity – Provide protection against fraudulent transactions

8 CSCE 522 - Farkas8 User Authentication What the user knows – Password, personal information What the user possesses – Physical key, ticket, passport, token, smart card What the user is (biometrics) – Fingerprints, voiceprint, signature dynamics

9 CSCE 522 - Farkas9 Passwords Commonly used method For each user, system stores (user name, F(password)), where F is some transformation (e.g., one-way hash) in a password file – F(password) is easy to compute – From F(password), password is difficult to compute – Password is not stored in the system When user enters the password, system computes F(password); match provides proof of identity

10 CSCE 522 - Farkas10 Vulnerabilities of Passwords Inherent vulnerabilities – Easy to guess or snoop – No control on sharing Practical vulnerabilities – Visible if unencrypted in distributed and network environment – Susceptible for replay attacks if encrypted naively Password advantage – Easy to modify compromised password.

11 CSCE 522 - Farkas11 Attacks on Password Guessing attack/dictionary attack Social Engineering Sniffing Trojan login Van Eck sniffing

12 CSCE 522 - Farkas12 Guessing Attack Exploits human nature to use easy to remember passwords Trial-and-error attack Easy to detect (failed logins) and block – Problem: if the attacker has access to the password file (even if it is encrypted) Need audit mechanism

13 CSCE 522 - Farkas13 Social Engineering Attacker asks for password by masquerading as somebody else (not necessarily an authenticated user) May be difficult to detect Protection against social engineering: strict security policy and users’ education

14 CSCE 522 - Farkas14 Dictionary Attacks on Passwords Attack 1: – Create dictionary of common words and names and their simple transformations – Use these to guess password Attack 2: – Usually F is public and so is the password file (encrypted) – Compute F(word) for each word in dictionary – Find match

15 CSCE 522 - Farkas15 Password Salt Used to make dictionary attack more difficult Salt is a 12 bit number between 0 and 4095 It is derived from the system clock and the process identifier Compute F(password+salt); both salt and F(password+salt) are stored in the password table User: gives password, system finds salt and computes F(password+salt) and check for match Better!: use a random number, user authenticates by sending F(password+random number) || random number

16 CSCE 522 - Farkas16 Password Management Policy Educate users to make better choices Define rules for good password selection and ask users to follow them Ask or force users to change their password periodically Actively attempt to break user’s passwords and force users to change broken ones Screen password choices

17 CSCE 522 - Farkas17 One-time Password Use the password exactly once! The first use of the password would grant access; a second or subsequent use of the same password would not

18 CSCE 522 - Farkas18 Lamport’s scheme Doesn’t require any special hardware System computes one-way function F, such as F(x),F 2 (x),…, F 1000 (x) System stores user’s name and F 1000 (x) User supplies F 999 (x) the first time If the login is correct, system replaces F 1000 (x) with F 999 (x) Next login: user supplies F9 98 (x) … and so on User calculates F n (x) using a hand-held calculator, a workstation, or other devices

19 CSCE 522 - Farkas19 Time Synchronized There is a hand-held authenticator – It contains an internal clock, a secret key, and a display – Display outputs a function of the current time and the key – It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function and its clock to calculate the expected output Login is valid if the values match

20 CSCE 522 - Farkas20 Time Synchronized Secret key Time One Time Password DES Problem: Need time synchronization between device and server

21 CSCE 522 - Farkas21 Challenge Response Work station Host Network Non-repeating challenges from the host is used The device requires a keypad User ID Challenge Response

22 CSCE 522 - Farkas22 Challenge Response Secret key Challenge One Time Password DES

23 CSCE 522 - Farkas23 Devices with Personal Identification Number (PIN) Devices are subject to theft, some devices require PIN (something the user knows) PIN is used by the device to authenticate the user Problems with challenge/response schemes – Key database is extremely sensitive – This can be avoided if public key algorithms are used

24 CSCE 522 - Farkas24 Smart Cards Portable devices with a CPU, I/O ports, and some nonvolatile memory Can carry out computation required by public key algorithms and transmit directly to the host Some use biometrics data about the user instead of the PIN

25 CSCE 522 - Farkas25 Biometrics Fingerprint Retina scan Voice pattern Signature Typing style

26 CSCE 522 - Farkas26 Problems with Biometrics Expensive – Retina scan (min. cost) about $ 2,200 – Voice (min. cost) about $ 1,500 – Signature (min. cost) about $ 1,000 False readings – Retina scan 1/10,000,000+ – Signature 1/50 – Fingerprint 1/500 Can’t be modified when compromised

27 Identity Management Distributed, heterogeneous domain User credentials Performance CSCE 522 - Farkas27 I am Ann. Here is my Password1. System 1 System 3 System 2 I am Ann. Here is my Password2. I am Ann. Here is my Password3. pswd

28 Identity Management cont. Need verifiable proof of identity – without being authenticated during every single interaction Digital certificate: links identity and public key together – A user can prove his/her identity by signing the messages with his/her private key CSCE 522 - Farkas28

29 Digital Certificates Most common digital certificate: X.509 Initially issued in 1988 Rely on PKI and hierarchy of certificate authorities Certificate Authority: issue and revoke digital certificates, accepts user notifications, publishes revocation list CSCE 522 - Farkas29

30 Digital Certificates Basic Content – … – Issuer – Validity Not Before Not After – Subject – Subject Public Key Info Public Key Algorithm Subject Public Key – … – Certificate Signature Algorithm – Certificate Signature CSCE 522 - Farkas30

31 Problem with X.509 Large file Long duration  needs validation of certificate for revocation Why are digital certificates revoked? – Exposure of private key – Incorrect/unauthorized issuance – Termination of assignment CSCE 522 - Farkas31

32 Return to Multiple Authentication CSCE 522 - Farkas32 I am Ann. Here is my X.509 System 1 System 3 System 2 I am Ann. Here is my X.509 I am Ann. Here is my X.509 CA Verify Certificate

33 Single Sign On CSCE 522 - Farkas33 I am Ann. Here is my X.509. Give me a locally verifiable token. System 1 System 3 System 2 I am Ann. Here is my SAML token I am Ann. Here is my SAML token SAML token CA Verify Certificate

34 CSCE 522 - Farkas34 Next Class Access Control

Download ppt "CSCE 522 Identification and Authentication. CSCE 522 - Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction."

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSC 474 Information Systems Security

CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos

Authentication & Kerberos
Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Similar presentations

Ads by Google