CSC 474 Information Systems Security

Slides:



Advertisements
Similar presentations
Lecture 6 User Authentication (cont)
Advertisements

CSC 774 Advanced Network Security
Password Cracking Lesson 10. Why crack passwords?
CSC 774 Advanced Network Security
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Computer Science 1 CSC 405 Introduction to Computer Security Topic 4. Security in Conventional Operating Systems -- Part II.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
Security-Authentication
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Authentication Approaches over Internet Jia Li
Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Lecture 11: Strong Passwords
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Authentication (ch 9~12) IT443 – Network Security Administration 1.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
G53SEC 1 Authentication and Identification Who? What? Where?
Cpr E 308 Spring 2004 Security Unix Passwords Security across a network Cryptography – encryption and decryption.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Authentication What you know? What you have? What you are?
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
CSCE 522 Identification and Authentication
Challenge/Response Authentication
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CSCE 522 Identification and Authentication
Identification and Authentication
Password Cracking Lesson 10.
Authentication.
Network Security Unit-VI
Authentication.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Presentation transcript:

CSC 474 Information Systems Security Topic 3.2: User Authentication CSC 474 Dr. Peng Ning

User Authentication What the user knows What the user possesses passwords, personal information What the user possesses a physical key, a ticket, a passport, a token, a smart card What the user is (biometrics) fingerprints, voiceprint, signature dynamics User authentication is based on one of the following three things. Either …, or …, or …. Examples of what the user knows include passwords, personal information, and so on. Examples of … CSC 474 Dr. Peng Ning

Passwords Most commonly used method. Computer Alice System I’m Alice, the password is fiddlesticks Alice Can we store passwords in the file system? CSC 474 Dr. Peng Ning

Storing User Passwords Directly Store the Passwords? Not a good idea! High risk Anyone who captures the password database could impersonate all the users. The password database would be very attractive to hackers. CSC 474 Dr. Peng Ning

One-Way Hash Function One-way hash function F F F(x) is easy to compute From F(x), x is difficult to compute Example: F(x) = gx mod p, where p is a large prime number and g is a primitive root of p. F x F(x) The system uses one-way function to help store the passwords. For example, a one-way function could be to compute g to the power x for a given x. easy difficult CSC 474 Dr. Peng Ning

(user name, F(password)) Storing Passwords For each user, system stores (user name, F(password)) in a password file, where F is a one-way hash function When a user enters the password, system computes F(password); a match provides proof of identity CSC 474 Dr. Peng Ning

crypt Algorithm (Unix) What is F? crypt Algorithm (Unix) Designed by Bob Morris and Ken Thompson Use Data Encryption Standard (DES) encryption algorithm User password and salt is used as the encryption key to encrypt a 64-bit block of zeros This process is repeated 25 times 25 times 00…0 DES F(x) 64 bits x = Password+Salt CSC 474 Dr. Peng Ning

Choice of Passwords Suppose passwords can be from 1 to 9 characters in length Possible choices for passwords = 261 + 262 + ... + 269 = 5 *1012 At the rate of 1 password per millisecond, it will take on the order of 150 years to test all passwords CSC 474 Dr. Peng Ning

Choice of Passwords (Cont’d) However, we don’t need to try all possible passwords, only the probable passwords In a Bell Labs study (Morris & Thompson 1979), 3,289 passwords were examined 15 single ASCII characters, 72 two ASCII characters, 464 three ASCII characters, 477 four alphanumeric character, 706 five letters(all lower or all upper case), 605 six letters all lower case, 492 weak passwords (dictionary words spelled backwards, first names, surnames, etc.) Summary: 2,831 passwords (86% of the sample) were weak, i.e., they were either too easily predictable or too short Only the passwords that are possible to be chosen. CSC 474 Dr. Peng Ning

Dictionary Attacks Attack 1: Create a dictionary of common words and names and their simple transformations Use these to guess the password Eagle Wine Rose … Eagle What can we do about it? Slow down the system’s response. Yes! Dictionary CSC 474 Dr. Peng Ning

Dictionary Attacks (Cont’d) Usually F is public and so is the password file In Unix, F is crypt, and the password file is /etc/passwd. Compute F(word) for each word in the dictionary A match gives the password Eagle Wine Rose … TdWx% XkPT KYEN … F(Eagle)=XkPT Password file Dictionary CSC 474 Dr. Peng Ning

Dictionary Attacks (Cont’d) To speed up search, pre-compute F(dictionary) A simple look up gives the password Eagle Wine Rose … XkPT %$DVC #AED! … TdWx% XkPT KYEN … F Look up Pre-computed Dictionary Password file Dictionary CSC 474 Dr. Peng Ning

Password Salt To make the dictionary attack a bit more difficult Salt is a 12-bit number between 0 and 4095 Derived from the system clock and the process identifier CSC 474 Dr. Peng Ning

Password Salt (Cont’d) Storing the passwords Password + Salt F F(Password + Salt) Password file Username, Salt, F(Password + Salt) CSC 474 Dr. Peng Ning

Password Salt (Cont’d) Verifying the passwords Fetch Salt according to username Password + Salt F F(Password + Salt) Compare Password file Username, Salt, F(Password + Salt) CSC 474 Dr. Peng Ning

Does Password Salt Help? Attack 1? Without Salt With Salt Eagle Wine Rose … A word Yes/No Dictionary CSC 474 Dr. Peng Ning

Does Password Salt Help? Attack 2? Without Salt With Salt Eagle Wine Rose … TdWx% XkPT KYEN … F Password file Dictionary CSC 474 Dr. Peng Ning

Does Password Salt Help? Attack 3? Without Salt With Salt Y Eagle Wine Rose … %$DVC XkPT #AED! … TdWx% XkPT KYEN … F Look up Pre-computed Dictionary Password file Dictionary CSC 474 Dr. Peng Ning

Password Management Policy and Procedure Educate users to make better choices Does not work if the user population is large or novice Define rules for good password selection and ask users to follow them Rules serve as guideline for attackers Ask or force users to change their passwords periodically Force users to use machine generated passwords Random passwords are difficult to memorize; also password generator may become known to the attacker through analysis Actively attempt to break users’ passwords; force users to change those that are broken Attacker may have better dictionary Screen password choices; if a choice is weak, force users to make a different choice There are some ways to make passwords safer. Some of them are listed here. CSC 474 Dr. Peng Ning

One-time Passwords Use the password exactly once! CSC 474 Passwords are visible in the clear in distributed and networked systems Passwords are susceptible to replay attacks if encrypted naively CSC 474 Dr. Peng Ning

Lamport’s Scheme (S/Key) Take advantage of One-Way function One-way hash function F F(x) is easy to compute From F(x), x is difficult to compute F x F(x) easy difficult CSC 474 Dr. Peng Ning

S/Key (Cont’d) Pre-computation F The System 1. Randomly generate x 2. Compute the following F x F1(x) F2(x) … Fn(x) 3. Save (username, Fn(x)), and give x to the user. CSC 474 Dr. Peng Ning

S/Key (Cont’d) Authentication F The first time, the user supplies F(n-1)(x). The system checks if F(F(n-1)(x))=Fn(x). If yes, the user is authenticated and the system replaces Fn(x) with F(n-1)(x). The second time, the user supplies F(n-2)(x). The third time, … F F(i-1)(x) Fi(x) CSC 474 Dr. Peng Ning

Time Synchronized There is a hand-held authenticator It contains an internal clock, a secret key, and a display Display outputs a function of the current time and the key It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function, and its clock to calculate the expected output The login is valid if the values match In practice, the clock skew is a problem CSC 474 Dr. Peng Ning

Time Synchronized (Cont’d) Secret Key Time Encryption One Time Password CSC 474 Dr. Peng Ning

Challenge Response A non-repeating challenge from the host instead of a clock is used Note that the device requires a keypad. NETWORK HOST WORK STATION User ID Challenge Response CSC 474 Dr. Peng Ning

Challenge Response (Cont’d) Secret Key Challenge Encryption Response CSC 474 Dr. Peng Ning

Challenge Response (Cont’d) Problems with challenge/response schemes Key database is extremely sensitive This can be avoided if public key algorithms are used; however, the outputs would be too long for users to input conveniently CSC 474 Dr. Peng Ning

Biometrics Fingerprint Retina scan Voice pattern Signature Typing style CSC 474 Dr. Peng Ning

Biometrics (Cont’d) Technique Description Min. Cost False Reading Retina Eyes scanned 1 to 2 inches from screening device $2,400 1/10,000,000+ Iris Camera image of eye takes from 14 inches $3,500 1/131,000 Hand Hand scanned on plate by three video cameras at different angles $2,150 1/500 Fingerprint Finger scanned on glass plate $1,995 Signature Written with special pen on digitizer tablet $1,000 1/50 Voice Predefined phrase spoken into telephone or microphone $1,500 CSC 474 Dr. Peng Ning

Effectiveness of Biometrics Two types of errors for authentication False acceptance (FA) Let imposters in FAR: the probability that an imposter is authenticated. False rejection (FR) Keep authorized users out FRR: the probability that an authorized user is rejected. Another type of error for identification False match (FM) One user is mistaken for another (legitimate user) FMR: the probability that a user is incorrectly matched to a different user’s profile. No technique is perfect! CSC 474 Dr. Peng Ning

Multimodal Biometrics Use multiple Biometrics together. AND: Accept only when all are passed Why do we need this? OR: Accept as long as at least one is passed Others Retina scan Fingerprint Voice recognition User Decision Yes/No CSC 474 Dr. Peng Ning

Summary Password authentication One-time passwords Biometrics Storing passwords Dictionary attacks Password Salt One-time passwords S/Key Time synchronized Challenge response Biometrics CSC 474 Dr. Peng Ning

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.