Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Slides:



Advertisements
Similar presentations
Lecture 6 User Authentication (cont)
Advertisements

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
By: Monika Achury and Shuchita Singh
FIT3105 Smart card based authentication and identity management Lecture 4.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Marjie Rodrigues
Security-Authentication
Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Lecture 19 Page 1 CS 111 Online Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 On-Line MS Program Operating.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Chapter 10: Authentication Guide to Computer Network Security.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
BUSINESS B1 Information Security.
Lecture 18 Page 1 CS 111 Online Access Control Security could be easy – If we didn’t want anyone to get access to anything The trick is giving access to.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Security Issues and Strategies Chapter 8 – Computers: Understanding Technology (Third edition)
G53SEC 1 Authentication and Identification Who? What? Where?
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
Biometrics Authentication Technology
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Power Point Project Michael Bennett CST 105Y01 ONLINE Course Editor-Paulette Gannett.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
PRESENTATION ON BIOMETRICS
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Authorization vs. Authentication Authentication is the process of proving identity to the system –login Authorization happens after authentication. It.
Biometric for Network Security. Finger Biometrics.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
1 Figure 2-8: Access Cards Magnetic Stripe Cards Smart Cards  Have a microprocessor and RAM  More sophisticated than mag stripe cards  Release only.
Authentication What you know? What you have? What you are?
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
Information Systems Design and Development Security Precautions Computing Science.
An Introduction to Biometrics
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Lecture 7 Page 1 CS 136, Fall 2011 Authentication CS 136 Computer Security Peter Reiher October 13, 2011.
Challenge/Response Authentication
Outline The basic authentication problem
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Authentication CS 136 Computer Security Peter Reiher October 18, 2012
Challenge/Response Authentication
Outline What does the OS protect? Authentication for operating systems
Authentication.
Authentication CS 136 Computer Security Peter Reiher October 15, 2013
Outline What does the OS protect? Authentication for operating systems
Authentication Computer Security Peter Reiher April 19, 2016
Authentication CS 136 Computer Security Peter Reiher January 28, 2010
Authentication Computer Security Peter Reiher January 31, 2017
Authentication CS 136 Computer Security Peter Reiher April 21, 2009
CS703 - Advanced Operating Systems
Chapter Goals Discuss the CIA triad
BY: Michael Etse and Maverick Fermill
Presentation transcript:

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The system asks the user to provide some information If it’s provided correctly, the user is authenticated

Lecture 7 Page 2 CS 236 Online Differences From Passwords Challenge/response systems ask for different information every time Or at least the questions come from a large set Best security achieved by requiring what amounts to encryption of the challenge –But that requires special hardware –Essentially, a smart card

Lecture 7 Page 3 CS 236 Online Problems With Authentication Through Challenge/Response Either the question is too hard to answer without special hardware Or the question is too easy for intruders to spoof the answer Still, commonly used in real-world situations –E.g., authenticating you by asking your childhood pet’s name

Lecture 7 Page 4 CS 236 Online A Short Digression on “Security Questions” Common in web sites If you forget your password, answer a “security question” Answering that properly gets you access Which means knowing the security question’s answer is as good as knowing the password How secure are these “security questions?” How could the concept be improved?

Lecture 7 Page 5 CS 236 Online Some Recent Results From a Microsoft Research study 1 Acquaintances could guess answers to 17% of security questions 13% of all answers guessable in five tries –With no information about legitimate user –Just guessing most popular alternatives –Culturally based, so it depends who’s guessing Generally depressing results 1

Lecture 7 Page 6 CS 236 Online Identification Devices Authentication by what you have A smart card or other hardware device that is readable by the computer Authenticate by providing the device to the computer

Lecture 7 Page 7 CS 236 Online Simple Use of Authentication Tokens If you have the token, you are identified Generally requires connecting the authentication device to computer –Unless done via wireless Weak, because it’s subject to theft and spoofing How can we do better?

Lecture 7 Page 8 CS 236 Online Authentication With Smart Cards How can the server be sure of the remote user’s identity? challenge E(challenge) Authentication verified!

Lecture 7 Page 9 CS 236 Online Some Details on Smart Cards Cryptography performed only on smart card –So compromised client machine can’t steal keys Often user must enter password to activate card –Should it be entered to the card or the computer?

Lecture 7 Page 10 CS 236 Online Problems With Identification Devices If lost or stolen, you can’t authenticate yourself –And maybe someone else can –Often combined with passwords to avoid this problem Unless cleverly done, susceptible to sniffing attacks Requires special hardware

Lecture 7 Page 11 CS 236 Online Authentication Through Biometrics Authentication based on who you are Things like fingerprints, voice patterns, retinal patterns, etc. To authenticate to the system, allow system to measure the appropriate physical characteristics Biometric converted to binary and compared to stored values –With some level of match required

Lecture 7 Page 12 CS 236 Online Problems With Biometric Authentication Requires very special hardware –Possibly excepting systems that examine typing patterns May not be as foolproof as you think Many physical characteristics vary too much for practical use Generally not helpful for authenticating programs or roles What happens when it’s cracked? –You only have two retinas, after all

Lecture 7 Page 13 CS 236 Online When Do Biometrics (Maybe) Work Well? When you use them for authentication –Carefully obtain clean readings from legitimate users –Compare those to attempts to authenticate When biometric readers are themselves secure In conjunction with other authentication

Lecture 7 Page 14 CS 236 Online When Do Biometrics (Definitely) Work Poorly? Finding “needles in haystacks” –Face recognition of terrorists in airports When working off low-quality readings When the biometric reader is easy to bypass or spoof –Anything across a network is suspect When the biometric is “noisy” –Too many false negatives

Lecture 7 Page 15 CS 236 Online Characterizing Biometric Accuracy How many false positives? Match made when it shouldn’t have been Versus how many false negatives? Match not made when it should have been Errors Sensitivity False Positive Rate False Negative Rate The Crossover Error Rate (CER) Generally, the higher the CER is, the better the system But sometimes one rate more important than the other

Lecture 7 Page 16 CS 236 Online Some Typical Crossover Error Rates TechnologyRate Retinal Scan1:10,000,000+ Iris Scan1:131,000 Fingerprints1:500 Facial Recognition1:500 Hand Geometry1:500 Signature Dynamics1:50 Voice Dynamics1:50 Data as of 2002 Things can improve a lot in this area over time Also depends on how you use them And on what’s important to your use

Lecture 7 Page 17 CS 236 Online A Biometric Cautionary Tale A researcher in Japan went out and bought some supplies from a hobby store (in 2002) He used them to create gummy fingers –With gummy fingerprints With very modest tinkering, his gummy fingers fooled all commercial fingerprint readers Maybe today’s readers are better –Maybe not...

Lecture 7 Page 18 CS 236 Online Authentication by Where You Are Sometimes useful in ubiquitous computing The issue is whether the message in question is coming from the machine that’s nearby Less important who owns that machine Requires sufficient proof of physical location And ability to tie a device at that location to its messages Sometimes used in conjunction with other authentication methods –E.g., the door opens only if an authorized user is right outside it

Lecture 7 Page 19 CS 236 Online Authentication on Physical Machines Generally controlled by the operating system Sometimes at application level At OS level, most frequently done at login time How does the OS authenticate later requests?

Lecture 7 Page 20 CS 236 Online Process Authentication Memory protection is based on process identity –Only the owning process can name its own virtual memory pages Virtual memory completely in OS control –Pretty easy to ensure that processes can’t fake identities OS and virtual memory security discussed in more detail later

Lecture 7 Page 21 CS 236 Online How the OS Authenticates Processes System calls are issued by a particular process The OS securely ties a process control block to the process –Not under user control Thus, the ID in the process control block can be trusted

Lecture 7 Page 22 CS 236 Online How Do Processes Originally Obtain Access Permission? Most OS resources need access control based on user identity or role –Other than virtual memory pages and other transient resources How does a process get properly tagged with its owning user or role? Security is worthless if OS carefully controls access on a bogus user ID

Lecture 7 Page 23 CS 236 Online Users and Roles In most systems, OS assigns each potential user an ID More sophisticated systems recognize that the same user works in different roles –Effectively, each role requires its own ID –And secure methods of setting roles

Lecture 7 Page 24 CS 236 Online Securely Identifying Users and Roles Passwords Identification devices Challenge/response systems Physical verification of the user

Lecture 7 Page 25 CS 236 Online Authenticating Across the Network What new challenges does this add? You don’t know what’s at the other end of the wire So, when does that cause a problem? And how can you solve it?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.