Authentication What you know? What you have? What you are?

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies
Authentication & Kerberos
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security-Authentication
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Lecture 11: Strong Passwords
Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
G53SEC 1 Authentication and Identification Who? What? Where?
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
CSCE 522 Identification and Authentication
Challenge/Response Authentication
Outline The basic authentication problem
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CSCE 522 Identification and Authentication
Challenge/Response Authentication
Authentication.
Radius, LDAP, Radius used in Authenticating Users
Network Security Unit-VI
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Presentation transcript:

Authentication What you know? What you have? What you are?

Authentication CSCE Farkas/Eastman -- Fall Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

Authentication CSCE Farkas/Eastman -- Fall Authentication Information Must be securely maintained by the system.

Authentication CSCE Farkas/Eastman -- Fall Elements of Authentication Person/group/code/system Distinguishing characteristic Proprietor/system owner/administrator Authentication mechanism Access control mechanism

Authentication CSCE Farkas/Eastman -- Fall Authentication Requirements System must ensure Data exchange is established with addressed peer entity and not with an entity that masquerades or replays previous messages Data source is the one claimed

Authentication CSCE Farkas/Eastman -- Fall Authentication vs. Identification Identification – Who are you? Authentication – Why should we believe you? Authentication generally follows identification

Authentication CSCE Farkas/Eastman -- Fall User Authentication What the user knows Password, personal information What the user possesses Physical key, ticket, passport, token, smart card What the user is (biometrics) Fingerprints, voiceprint, signature dynamics

Authentication CSCE Farkas/Eastman -- Fall Passwords For each user, system stores (user name, F(password)), where F is some transformation (e.g., one-way hash) in a password file When user enters the password, system computes F(password); match provides proof of identity

Authentication CSCE Farkas/Eastman -- Fall F(password) Password  F(password): easy F(password)  password: hard Password is not stored in the system

Authentication CSCE Farkas/Eastman -- Fall Vulnerabilities of Passwords Easy to guess or snoop No control on sharing Visible if unencrypted in networks Susceptible for replay attacks if encrypted naively

Authentication CSCE Farkas/Eastman -- Fall Advantages of Passwords Easy to modify compromised password System well understood by most users Specialized hardware not needed

Authentication CSCE Farkas/Eastman -- Fall Weak Passwords Bell Labs study (Morris and Thompson, 1979), 3289 passwords were examined Summary: 2831 passwords (86% of the sample) were weak, i.e., either too easy to predict or too short

Authentication CSCE Farkas/Eastman -- Fall Study Details 15 single ASCII characters 72 two ASCII characters 464 three ASCII characters 477 four ASCII characters 706 five letters (all lower case or all upper case) 605 six letters, all lower case 492 weak passwords (name, dictionary words, etc.)

Authentication CSCE Farkas/Eastman -- Fall Password Attacks Guessing attack Dictionary attack Social engineering Spoofing attack Other attacks (covered later)

Authentication CSCE Farkas/Eastman -- Fall Guessing Attack Exploits human tendency to use easy to remember passwords Trial-and-error attack Easy to detect and block (failed logins) Need audit mechanism

Authentication CSCE Farkas/Eastman -- Fall Dictionary Attack Attack 1: Create dictionary of common words and names and their simple transformations Use these to guess password Attack 2: Usually F is public and so is the password file (encrypted) Compute F(word) for each word in dictionary Find match

Authentication CSCE Farkas/Eastman -- Fall Social Engineering Attacker asks for password by masquerading as somebody else (not necessarily an authenticated user) May be difficult to detect Protection against social engineering: strict security policy and user education

Authentication CSCE Farkas/Eastman -- Fall Login Spoofing Create a fake login screen Capture login and password when user attempts to log in Present a fake failed login screen User may not even notice there is a problem

Authentication CSCE Farkas/Eastman -- Fall Password Defenses Password salt Password management policies Lamport’s scheme One time passwords Time synchronization Challenge response

Authentication CSCE Farkas/Eastman -- Fall Password Salt Used to make dictionary attack more difficult Salt is a 12 bit number between 0 and 4095 Derived from system clock and the process ID Compute F(password+salt); both salt and F(password+salt) are stored in the password table User: gives password, system finds salt and computes F(password+salt) and checks for match Note: with salt, the same password is computed in 4096 ways

Authentication CSCE Farkas/Eastman -- Fall Password Management Policies Educate users to make better choices Define rules for good password selection and ask users to follow them Ask or force users to change their password periodically Actively attempt to break user’s passwords and force users to change broken ones Screen password choices

Authentication CSCE Farkas/Eastman -- Fall Lamport’s scheme Doesn’t require any special hardware System computes F(x),F 2 (x),…, F 100 (x) (this allows 100 logins before password change) System stores user’s name and F 100 (x) User supplies F 99 (x) the first time If the login is correct, system replaces F 100 (x) with F 99 (x) Next login: user supplies F 98 (x) … and so on User calculates F n (x) using a hand-held calculator, a workstation, or other devices

Authentication CSCE Farkas/Eastman -- Fall One-time Password Use the password exactly once! Often done for initial assigned passwords User must change password before doing anything else

Authentication CSCE Farkas/Eastman -- Fall Time Synchronized There is a hand-held authenticator It contains an internal clock, a secret key, and a display Display outputs a function of the current time and the key It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function and its clock to calculate the expected output Login is valid if the values match

Authentication CSCE Farkas/Eastman -- Fall Challenge/Response Work station Host Network  Non-repeating challenges from the host  The device requires a keypad User ID Challenge Response

Authentication CSCE Farkas/Eastman -- Fall Challenge/Response Problems Key database is extremely sensitive This can be avoided if public key algorithms are used

Authentication CSCE Farkas/Eastman -- Fall Devices with Personal Identification Number (PIN) Devices are subject to theft Some devices require PIN (something the user knows) PIN is used by the device to authenticate the user

Authentication CSCE Farkas/Eastman -- Fall Smart Cards Portable devices with a CPU, I/O ports, and some nonvolatile memory Can carry out computation required by public key algorithms and transmit directly to the host Some use biometrics data about the user instead of the PIN

Authentication CSCE Farkas/Eastman -- Fall Biometrics Fingerprint Retina scan Voice pattern Signature Typing style Hand geometry

Authentication CSCE Farkas/Eastman -- Fall Problems with Biometrics Expensive Retina scan (min. cost) about $ 2,200 Voice (min. cost) about $ 1,500 Signature (min. cost) about $ 1,000 False readings Retina scan 1/10,000,000+ Signature 1/50 Fingerprint 1/500 Can’t be modified when compromised

Authentication CSCE Farkas/Eastman -- Fall Errors in Biometrics False rejection rate (FRR) Authorized subject is rejected False acceptance rate (FAR) Unauthorized subject is accepted Crossover error rate (CER) FRR = FAR

Authentication CSCE Farkas/Eastman -- Fall Two-factor Authentication Require two forms of authentication Password + smart card PIN + hand geometry

Authentication CSCE Farkas/Eastman -- Fall Wellness Center Identification – SSN Authorization – hand geometry High change of random hands matching Low chance of your friend’s hand matching yours

Authentication CSCE Farkas/Eastman -- Fall Single Sign-On (SSO) Provide identification and authorization once for a set of related systems VIP limited SSO Kerberos (ker-ber-OUS) Symmetric key cryptosystem Trusted third party (Key Distribution Center (KDC) – a trusted third party

Authentication CSCE Farkas/Eastman -- Fall Responsibility for Data Data owner (data administrator) Sets policies Data custodian (database administrator) Implements policies Data user (database user) Follows policies

Authentication CSCE Farkas/Eastman -- Fall Chapter Topic Review Access control Identification and authentication Possible threats Miscellaneous examples

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.