Computer Security Protection in general purpose Operating Systems

Slides:



Advertisements
Similar presentations
1 Identification Who are you? How do I know you are who you say you are?
Advertisements

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security-Authentication
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Chapter 10: Authentication Guide to Computer Network Security.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.
G53SEC 1 Authentication and Identification Who? What? Where?
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.
Authentication What you know? What you have? What you are?
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Access Control / Authenticity Michael Sheppard 11/10/10.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal
7/10/20161 Computer Security Protection in general purpose Operating Systems.
CSCE 522 Identification and Authentication
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Identification and Authentication
Chapter One: Mastering the Basics of Security
Challenge/Response Authentication
Cryptographic Hash Function
Outline What does the OS protect? Authentication for operating systems
Password Cracking Lesson 10.
Authentication.
WELCOME.
Network Security Unit-VI
Outline What does the OS protect? Authentication for operating systems
Authentication.
Authentication and Identification
Lesson 16-Windows NT Security Issues
Operating Systems Security
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
KERBEROS.
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Authentication Chapter 2.
Computer Security Authentication
CS703 - Advanced Operating Systems
COEN 351 Authentication.
Presentation transcript:

Computer Security Protection in general purpose Operating Systems 5/18/2019

Entity Authentication Entity Authentication is the process of verifying a claimed identity It is based on: something the entity knows something the entity holds something the entity is something the entity does where the entity is 5/18/2019

Something the entity knows The user has to know some secret, such as a password or a personal identification number (PIN). Threats Anybody who knows your secret “is you”! 5/18/2019

Something the entity holds The user has to present a physical token (such as key, an identity tag, a card) to be authenticated. Threats The token can be lost or stolen! 5/18/2019

Something the entity is Use biometrics, such as fingerprints, palm prints, iris patterns, or retina patterns. With biometrics a stored pattern is compared to an actual taken measurement. Problems False positives (accepting the wrong entity) and false negatives! Many users find biometrics unacceptable. Gruesome threats of the kind used in some Hollywood thrillers! 5/18/2019

Something the entity does People perform some mechanical tasks in a way that is both repeatable and specific to the individual. Examples hand written signatures on a writing pad the writing speed/pressure of a hand written signature on the keyboard the typing speed and intervals between strokes Problems False positives (accepting the wrong entity) and false negatives! 5/18/2019

Where the entity is The system may take into account the location of the login. For example, access may only be granted from certain terminals. With mobile and distributed computing the precise geographical location can be established during authentication by using the services of a global positioning system (GPS). 5/18/2019

Usernames & Passwords The most common authentication mechanism. Although password protection seems to offer relatively good security, human practice degrades its quality. Attacks on passwords Exhaustive search Try many probable passwords Try likely passwords for the user Search for the system list of passwords. Ask the user! 5/18/2019

Exhaustive search attacks If passwords are words consisting of the 26 characters A-Z and have length 8, then we are altogether 268 passwords. This is roughly 2*1011, which seems enough intractable. It would take of the order of about 6 years to test all passwords at the rate of 1 millisecond per password. If we were to speed up the search to one microsecond per password, this would come down to approximately 2 days. 5/18/2019

Probable passwords People prefer simple passwords. Our earlier analysis assumes that people choose passwords such as “vxlagrst”. Whereas in reality they tend to use names and words they can remember. Spelling checkers carry dictionaries of the most common English words. The typical size of such a dictionary is 80,000 words. This reduces the search to seconds 5/18/2019

Passwords likely for a user People prefer words which are related to them, such as the name of a spouse, a child, a relative, a pet, a street name or something memorable or familiar. Some people pick a simple password and replace certain characters such as 0 (zero) by O, 1 for letter L, 3 for letter E, etc 5/18/2019

Passwords defenses Password checkers: check password against a dictionary of weak passwords. Password generators: users are not allowed to pick their own passwords. Password ageing: an expiry date is set for passwords. Limit login attacks. Inform user after a successful login of the last login and the number of failed logins since then. 5/18/2019

Spoofing attacks An entity enters a password and the system verifies the entities identity. Does the user know who has received the password? Defenses Display number of failed attempts Use trusted paths (with Windows NT, CTRL+ALT+DEL invokes the OS login screen) Mutual authentication: the system could be required to identify itself 5/18/2019

Protecting the password file To validate passwords the system compares the password entered against a value stored in the password file. Defenses cryptographic protection (e.g. use a one-way hash function f: instead of listing passwords x, list their values f(x) –beware of dictionary attacks!) access control enforced by the OS (e.g. restrict access to files and other resources to users holding the appropriate privileges) combine both 5/18/2019

Cryptographic protection Use one-way hash function f Instead of storing the password x in the password list, the hash is stored. The password list is organized as a two column table of user IDs (usernames) and the corresponding hashed values When the user logs in and enters the password x is it is hashed (locally) into f (x). This value is then compared with the stored value. 5/18/2019

Cryptographic protection The one-way hash function f crypt(3) for Unix systems This uses a slightly modified version of the encryption scheme DES with 25 “rounds” (instead of the 16 rounds) This encrypts the all zero block using the password x as a key. The encryption f (x) of the zero block is the hash value. 5/18/2019

Cryptographic protection Access control mechanisms in the OS These restrict access to files and other resources to users holding the appropriate privileges. Only privileged users can have write access to the password file: otherwise an attacker could access data of other users by changing their password file. If read access is restricted to privileged users then passwords should be secure, in theory. In practice an attacker can still use a dictionary attack. 5/18/2019

Cryptographic protection Access control mechanisms in the OS Dictionary attacks can be prevented by using password salting. With salting, additional information (the salt) is appended to the password x before it is hashed to get f(x). This implies that even if two users have the same password their salted hashes will be different. 5/18/2019

Multiple passwords For additional password protection several passwords may used. For example, use the first password for workstation the second password to get onto the network the third password to access the server the fourth to access the database management system etc 5/18/2019

Passwords –Single sign-on Remembering many passwords is rather inconvenient. A single sign-on service solves this problem. You enter your password once, the system stores it, and then uses it whenever you have to authenticate yourself again. However this raises new security concerns. How do you protect the stored password? (the password needs to be in cleartext) 5/18/2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.