1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

Slides:



Advertisements
Similar presentations
Lecture 6 User Authentication (cont)
Advertisements

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Cryptography and Network Security Chapter 20 Intruders
7-1 Last time Protection in General-Purpose Operating Systems History Separation vs. Sharing Segmentation and Paging Access Control Matrix Access Control.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
S.S. Yau 1CSE Fall 2006 Administrative Security Procedural Controls.
第十章 1 Chapter 10 Authentication of People. 第十章 2 Introduction This chapter deals with password-related issues like how to force users to choose unguessable.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
95752:3-1 Access Control :3-2 Access Control Two methods of information control: –control access –control use or comprehension Access Control Methods.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security-Authentication
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.
CIS 450 – Network Security Chapter 8 – Password Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.
COEN 250 Authentication. Between human and machine Between machine and machine.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 3 – User Authentication.
Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.
Lecture 11: Strong Passwords
Access Control Identification and Authentication.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
G53SEC 1 Authentication and Identification Who? What? Where?
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
1 Figure 2-8: Access Cards Magnetic Stripe Cards Smart Cards  Have a microprocessor and RAM  More sophisticated than mag stripe cards  Release only.
Authentication What you know? What you have? What you are?
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Chapter 3 User Authentication 1. RFC 4949 RFC 4949 defines user authentication as: “The process of verifying an identity claimed by or for a system entity.”
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
By Kyle Bickel. Road Map Biometric Authentication Biometric Factors User Authentication Factors Biometric Techniques Conclusion.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Challenge/Response Authentication
Password Management Limit login attempts Encrypt your passwords
Authentication.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Presentation transcript:

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints, retinal scans, etc.)

2 Careless Use of Passwords rarely changing the password (increases the probability of being stolen, gives more time for attack) writing down the password (where the bad guys can see them) ing/putting password on the web/using it in scripts ( is archived and otherwise easily accessible) using password in multiple places (cascading break-in) rotating through the same passwords if forced to change (defeats security)

3 Preventing Guessable Passwords the measures should not be extreme enough for the users to start writing the passwords down reactive – run a guesser on password file –may be too late proactive –force users to change passwords frequently users may alternate or pick derivatives of the old password –select random passwords for a user hard to remember variant: pronounceable random strings (1 vowel for 3 consonants) – 10 character pronounceable as good as 8 character random –let users select their own but prevent them from picking bad ones good passwords – intentional misspelling, odd capitalization, first letters of a phrase; mixing non-alphabetic characters

4 More on Password Strength what’s the length of the password? depends on circumstances: 4 digits for ATM card (10000 choices) but only 3 attempts in controlled environment (camera) generic: should be as strong as a secret key – 64 random bits –if considering lower/upper case and punctuation marks – 47 possibilities per key stroke + Alt/Ctrl, function keys) 6 bits per keystroke – 11 random characters humans will not remember –pronounceable: case sensitive string of letters 4 bits per keystroke randomness – 16 random characters –user-chosen: randomness 2 bits per keystroke – 32 characters cryptographically – passwords are one of the weakest points in system security

5 On-line Password Guessing poor choices make easy guessing targets –first names, initials, SS# –initial passwords related to account/user information defenses: –after wrong guesses lock the account after consecutive failed passwords (used for PINs in ATM cards – only 3 attempts); not universal – can be used for DoS attack –slow down password processing –auditing: alert user about unsuccessful login attempts does not work for “stale” accounts –disallow short or guessable passwords

6 Off-line Password Guessing stealing password files –countermeasure: store only hashes of passwords problem: nobody besides the user knows the password what if she forgets it? attacks: –exhaustive search –dictionary defenses: –don’t allow short/guessable passwords –don’t make password files readable –salting: mix a random number to each hash

7 Eavesdropping attacks watching the screen watching the keyboard login Trojan horses keyboard sniffers network sniffers defenses protect password entry good network administration cryptographic protection one-time passwords list of passwords –system challenges with a random number –user replies with the corresponding password

8 Initial Password Distribution “bootstrap” problem: how to give the user a password Initial off-line authentication –let user chose password –initial password is selected by the system administrator –pre-expired passwords: has to be changed at the first login

9 Authentication Tokens physical device a person must present for authentication key (physical) ATM, credit cards (magnetic strip to store info – insecure) smart cards: on-card processor for cryptographic authentication. –PIN-protected cards: memory protected by PIN (locks up after a sequence of incorrect guesses) –challenge-response cards: performs challenge-response authentication through the card reader problem – needs a card reader at every access point new technology: tokens working through USB ports. –cryptographic calculator Current time encrypted, displayed to user, entered to terminal Adv: Access through standard terminals

10 Biometrics Authentication by inherent physical characteristics usually invasive, expensive and not useful for remote authentication examples –retinal scanner – examines the back of the eye –fingerprint reader – seem to be hard automate –face recognition – what if you get a black eye? –iris scanner - less invasive than retinal scanner (can be done from a distance –voiceprints – may be defeated with a recording, what if you get a sore throat? –keystroke timing – –signatures – hard to automate; possible if signature production (movements are also recorded)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.