Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Ref: Mark Stamp’s “Information Security, Principles & Practice”

Published byMoris Page Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication Ref: Mark Stamp’s “Information Security, Principles & Practice”"— Presentation transcript:

1 Authentication Ref: Mark Stamp’s “Information Security, Principles & Practice”

2 Authentication Methods
Authentication: determining if user is allowed to access particular resource or not Problem: authenticating human to a machine Approaches: Something you know (Passwords) Something you have (ATM or smart cards) Something you are (Biometrics) Ref: Mark Stamp’s “Information Security, Principles & Practice”

3 Password Based Authentication
An ideal password is something that you know something that a computer can verify that you know something nobody else can guess, even with unlimited computing resources In practice it is difficult to even come close to this ideal Ref: Mark Stamp’s “Information Security, Principles & Practice”

4 Passwords Reasons: Users tend to select bad passwords (dictionary words) what if you forget them? - Many things can act as passwords (your PIN number, mother median name, birth date etc…) passwords are not completely random (how to remember them??????) Ref: Mark Stamp’s “Information Security, Principles & Practice”

5 Solution choose GOOD Passwords
Make strategy which guides user while creating passwords Frank Pikachu 251019 AustinStamp jfIej(43j-EmmL+Y P0kem0N FSa7Yago Ref: Mark Stamp’s “Information Security, Principles & Practice”

6 A Good Password

7

8 Solution Make strategy which guides user while creating passwords
Reactive password checking The system runs its password cracker to find guessable passwords The system cancels passwords that are guessed and notifies user Consumes resources Can be misused by Hackers Proactive password checking The system checks if the password is allowable at the time of selection With guidance from the system, users can select memorable passwords that are difficult to guess Ref: Mark Stamp’s “Information Security, Principles & Practice”

9 Password Verification
how are the passwords verified by system? System must have password to compare it with users entry store the table with user ID and password Ref: Mark Stamp’s “Information Security, Principles & Practice”

10 Classical Method

11 Password Verification
how are the passwords verified by system? Storing bare passwords is bad idea Why not use HASH? Many systems stores hashed passwords Every time the entered password is hashed and the value is checked with the stored hash value

12 Hashing the Password

13 Salting Password

14 Biometrics- you are your key
Properties, any biometric should pose: Universal Distinguishing Permanent Collectable Reliable, robust & user-friendly Used for two purpose: Identification – one to many mapping Authentication – one to one mapping Ref: Mark Stamp’s “Information Security, Principles & Practice”

15 Metric for Biometric Phases
Enrollment phase Recognition phase Two types of errors that decides the performance Fraud rate The rate of miss-authentication Insult rate The rate of non-recognition Ref: Mark Stamp’s “Information Security, Principles & Practice”

16 Types of Biometric in use
Fingerprints Hand Geometry Iris Scan DNA Face Voice Retina Ref: Mark Stamp’s “Information Security, Principles & Practice”

17 Examples of Galton’s minutia
Fingerprints Loops (double) Whorl Arch Examples of Galton’s minutia Minutia Comparison Ref: Mark Stamp’s “Information Security, Principles & Practice”

18 Hand Geometry Ref: Ross, Arun, Anil Jain, and S. Pankati. "A prototype hand geometry-based verification system." Proceedings of 2nd conference on audio and video based biometric person authentication Ref: Mark Stamp’s “Information Security, Principles & Practice”

19 Iris Scanning Uses image processing techniques such as digital negative, wavelet transforms to find the iris codes These codes are then matched during verification Ref: Mark Stamp’s “Information Security, Principles & Practice”

20 NatGeo’s IRIS Scanning Story

21 NatGeo’s IRIS Scanning Story

22 Something you have A card that has some amount of memory and computing resources It can store some cryptographic keys and could do some computations what if the card goes in wrong hands? Two factor authentication can be the solution

23 To Conclude Authentication of a human to a machine is based on
something you know something you have something you are passwords are a very unsatisfactory method of authentication Biometrics potentially offer much greater security. But, they cost money, and are not without problems With smartcards we need to be very careful and it needs two factor authentication

24 Brainstorming Compare passwords, Biometrics and smartcards.
Discuss why passwords are more popular as compared to other two secure methods?

25 Token Based Authentication
The best way to handle authentication for multiple users to web applications Token: random number, question, challenge Applications: Facebook Twitter Google+ GitHub

26 Server based Authentication
Traditional Method Stateful service

27 Disadvantages of Server based Authentication
Sessions Scalability CORS (cross origin resource sharing) CSRF (cross site request forgery)

28 How Tokens work? Stateless: No session information
Typical implementation User Requests Access with Username / Password Application validates credentials Application provides a signed token to the client Client stores that token and sends it along with every request Server verifies token and responds with data

29 Token based Authentication

30 Token Based Authentication Advantages
Saves memory space Stateless server configurations Scalability Easy passing the authentication Extra Security

31 Digital Certificates Ref: William Stallings “Cryptography and Network Security”, 4th Edition

32 Typical Encryption Scenario
Alice Bob Alice encrypt her message with Bob’s public key Bob decrypts Alice’s message with his own private key

33 Typical Digital Signature Scenario
Alice Bob Alice encrypt her sign with private key Alice sends Digital Signature to Bob with her message Bob verify Alice’s signature with her public key.

34 What is Digital Certificate?
A public key and user's identity bound together signed by someone called a Certificate Authority (CA), certifying the accuracy of the binding CA can be an integrated or Individual Entity It maintains the directory server Server works only as a distributor No authority to create the certificates provides easy access of certificates to the users

35 Digital Certificate Format

36 Digital Certificates A certificate is public information.
Certificates are distributed by means of directories, public folders, and Web pages. Because the certificate owner's public key is contained in a certificate, distributing a certificate also distributes the public key. Others can choose to trust a certificate owner's private key based on the reputation of the CA that issued the certificate and based on confidence in the certificate issuing practices of the CA.

37 Certificate Authority Provider

38 X.509 Directory Services

39 X.509 ITU-T recommended Directory Standard
A part of X.500 series of recommendation for dictionary services Issued in 1988 followed by many versions, 1993 1995 2000

40 X.509 Directory = Repository of public key certificates
Defines a framework for authentication services (certificate structure, authentication protocols) S/MIME (Secure/Multipurpose Internet Mail Extensions), IP security, SSL (Secure Socket Layer)/TLS (Transport Layer Security), SET (Secure Electronic Transactions) are users of X.509

41 X.509 Format

42 X.509 Fields Version: Differentiates among successive versions of the certificate format, the default is version 1. Serial number: An integer value, unique within the issuing CA, that is unambiguously associated with this certificate. Signature algorithm identifier: The algorithm used to sign the certificate, together with any associated parameters. Publisher name: X.500 name of the CA that created and signed this certificate.

43 X.509 Fields Validity Period: Consists of the first and last on which the certificate is valid. Entity name: The name of the user to whom this certificate refers. Entity’s public-key information: The public key of the subject, plus an identifier of the algorithm for which this key is to be used Unique publisher identifier: An optional bit string field used to identify the issuing CA

44 X.509 Fields Unique Entity identifier: An optional bit string field used to identify uniquely the subject Additions/Extensions: A set of one or more extension fields. Signature: Covers all of the other fields of the certificate; it contains the hash code of the other fields, encrypted with the CA's private key. This field includes the signature algorithm identifier.

45 Revise What is a Digital Certificate? What is a Directory ?
What is a role of Directory server? What is CA? What is X.509 standard?

46 Public Key Infrastructure (PKI)
Ref: William Stallings “Cryptography and Network Security”, 4th Edition Mark Stamp’s “Information Security, Principles & Practice”

47 What is PKI? Set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. Objective: to enable secure, convenient and efficient acquisition of public keys.

48 Elements of PKI Key generation & management
Digital Signatures PKC Algorithms Digital Certificates Certificate Authorities (CAs) Dictionary Server Dictionary Services Certificate Revocation Lists (CRLs) Certificate Revocation Server Key Archival Server

49 Typical PKI Functions Registration: The process of enrolling in a PKI. Registration usually involves some offline or online procedure for mutual authentication. Initialization: Before a client system can operate securely, it is necessary to install key materials that have the appropriate relationship with keys stored elsewhere in the infrastructure. Certification: This is the process in which a CA issues a certificate for a user's public key, and returns that certificate to the user's client system and/or posts that certificate in a repository.

50 Typical PKI Functions Key pair recovery: Loss of access to the key can result from forgotten passwords/PINs, corrupted disk drives, damage to hardware tokens, and so on. Key pair recovery allows end entities to restore their encryption/decryption key pair from an authorized key backup facility Revocation request: An authorized person advises a CA of an abnormal situation requiring certificate revocation. Reasons for revocation include private key compromise, change in affiliation, and name change.

51 Typical PKI Functions Key pair update: All key pairs need to be updated regularly and new certificates issued. Update is required when the certificate lifetime expires and as a result of certificate revocation. Cross certification: Two CAs exchange information used in establishing a cross-certificate. A cross-certificate is a certificate issued by one CA to another CA that contains a CA signature key used for issuing certificates.

52 Needham-Schroeder Authentication Protocol
Ref:

53 Types The Needham–Schroeder Symmetric Key Protocol
The Needham–Schroeder Public-Key Protocol

54 Needham–Schroeder Symmetric Key Protocol
Alice (A) initiates the communication to Bob (B). S is a server trusted by both parties Kas: symmetric key known only to A and S Kbs: symmetric key known only to B and S NA and NB are nonce (numbers used once) generated by A and B respectively Kab: a symmetric, generated key, which will be the session key of the session between A and B

55 Needham–Schroeder Protocol
Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob.

56 Needham–Schroeder Protocol

57 Needham–Schroeder Protocol
Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus authenticating the data.

58 Needham–Schroeder Protocol
Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key.

59 N-S Protocol is Vulnerable
Replay Attack No timestamps Man in the middle Attack Server bypassing

60 TEST QUESTIONS Find public and private key using RSA algorithm: P=7, Q=11, e=13, use Euclid’s Algorithm. Encrypt and Decrypt the message m=3. Bob has a private key (37, 77) and public key (13, 77). He needs to authenticate any message from him using a signature (of course digital). He chose his sign as ‘5’. Find what will be his Digital signature. How will Alice find that the message is authenticate? Alice and Bob agrees on q=23 and α=7. Alice chooses secret key as 3 and Bob chooses as 6. Find their public and private keys. Also find the value of common key for Diffie Hellman exchange. Bob and Alice want to use knapsack for their secure communication. Bob has a Super increasing knapsack [7, 11, 19, 39, 79, 157, 313, 547] and he chooses n=900 and r=37. Calculate the public and private keys of Bob. What is the cipher text if Alice wants to send ‘P’ to Bob. Note: ASCII equivalent of ‘P’ is (50)16 Find public and private key using RSA algorithm: P=17, Q=11, e=7, use Euclid’s Algorithm. Encrypt and Decrypt the message m=4. Given modulus N=143 and Public key=7, Find the values of p, q, ∅(n) and private key d. Find public and private key using RSA algorithm: P=11, Q=3, e=3, use Euclid’s Algorithm. Encrypt and Decrypt the message m=15.

61 A real world security protocol
KERBEROS A real world security protocol

62 What is Kerberos? KERBEROS: As per Greek Mythology, a three headed Dog to guard the Entrance Symmetric key based Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial format

63 Why Kerberos? Sending usernames and passwords in the clear jeopardizes the security of the network Use only N symmetric keys for N users. Simple to implement with no PKI infrastructure

64 Design Requirements Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won’t use it). Protection against intercepted credentials.

65 Cryptography Approach
Private Key: Each party uses the same secret key to encode and decode messages Uses a trusted third party (ttp) which can vouch for the identity of both parties in a transaction Security of third party is imperative/vital/crucial.

66 How does Kerberos work? Instead of client sending password to application server: Request Ticket from authentication server Ticket and encrypted request sent to application server How to request tickets without repeatedly sending credentials? Ticket granting ticket (TGT)

67 Entities of Kerberos Authentication Server (AS) OR Key Distribution Center (KDC) knows all the keys, users and services in the network , Shares unique keys with each user and services It has a master key called KKDC , known only to KDC Clients Service Servers

68 How does Kerberos work? Kerberos Login
The key KA is derived from Alice’s password as KA = h(Alice’s password) The KDC creates the session key SA Alice’s computer decrypts using KA to obtain SA and the TGT TGT = E(“Alice”, SA ;KKDC)

69 How does Kerberos work? Kerberos Tickets
REQUEST = (TGT, authenticator) authenticator = E(timestamp; SA) REPLY = E(“Bob”, KAB , ticket to Bob; SA) ticket to Bob = E(“Alice”, KAB ;KB) Talk to Bob I want to talk to Bob REQUEST Alice Computer KDC REPLY REPLY

70 How does Kerberos work? Granting the Service
Alice can securely talk to Bob now She sends “ticket to Bob and authenticator” to Bob first Authenticator= e(timestamp, KAB) Bob can obtain KAB from ‘ticket to Bob’ Alice & Bob now use KAB for further communication

71 How does Kerberos work? Ticket Granting Tickets

72 How does Kerberos Work?: The Ticket Granting Service

73 How does Kerberos work?: The Application Server

74 Applications Authentication Authorization Confidentiality
Within small sets of networks How secure is Kerberos?

75 Weaknesses and Solutions
If TGT stolen, can be used to access network services. Only a problem until ticket expires in a few hours Subject to dictionary attack Timestamps require hacker to guess in 5 minutes Very bad if Authentication Server compromised Physical protection for the server

76 Single Sign on Systems (SSO)

77 Single Sign on Going to travel Sign in for booking flight ticket
Sign in for booking hotel room Sign in for renting a car

78 Single Sign on Multi sign on is troublesome
Is it possible to just sign-on once to perform all the actions? Single sign-on can be used to answer this question.

79 Introduction What is single sign-on (SSO)? Types of SSO.
Two single sign-on system formats: SAML Microsoft passport

80 SSO - Definition Users sign onto a site only once and are given access to one or more applications in a single domain or across multiple domains. A mechanism to verify a user across multiple applications through a single authentication challenge. One log-in provides access to all resources of the network, LAN or WAN.

81 SSO - Types Password Synchronization Legacy SSO (Employee SSO) Web SSO
Cross domain (realm) SSO Federated SSO

82 SSO System - SAML SAML (Security Assertion Markup Language)
an XML framework for exchanging security information over the Internet. Is based on the concept of Assertions (statements about a user) which can be passed around Provides a standard request/response protocol for exchanging XML messages

83 Goals of SAML “Portable Trust” - a user, whose identity is established and verified in one domain, can invoke services in another domain Cross-Domain Single Sign-On (SSO) Federated Identity Web Services - provides a means by which security assertions about messages and service requesters can be exchanged

84 Cross Domain SSO with SAML
A user authenticates to one web site (domain) and then is able to access resources at some other web sites (domains) A user Joe is authenticated at A.com and can access resources at both A.com and B.com

85 Federated Identity with SAML
A set of service providers agrees on a way to refer to a single user even if he/she is known to each of them under a different name The user Joe is authenticated at A.com as and can access resources at both B.com and C.com without being re-authenticated

86 SAML Assertions Assertion : a claim, statement or declaration of fact made by some SAML authority Types of assertions: Authentication - the subject was authenticated by a particular means at a particular time Authorization - the subject was granted or denied access to a specified resource Attributes - the subject is associated with the supplied attribute

87 Microsoft Passport Online service that allows secure access to participating Web sites or services Uses your address as sign name Uses one password to all Web sites Allows to make faster, more secure online purchases

88 Microsoft Passport The information you register with Passport is stored securely in the database When you sign in to any participating Web sites you use your Passport: login and password During the Internet session you can sign in to the other Web sites by clicking

89 Participating Web Sites

90 Advantages of SSO Reduced operational cost Reduced time to access data
Improved user experience, no password lists to carry Advanced security to systems Ease burden on developers Centralized management of users, roles.

91 Federated Identity Management

92 What is a Federation? A group of organizations running IDPs and SPs that agree on a common set of rules and standards Its a label for people to talk about such a collection of organizations An organization may belong to more than one federation at a time The grouping can be on a regional level or on a smaller scale

93 What is Federated Identity Management?
Federated Identity Management (FIM) securely shares information managed at a users home organization with remote services. Within FIM systems it doesn’t matter if the service is in your administrative domain or another.

94 Federated Identity Management
In Federated Identity Management: Identity Providers (IdP) publish authentication and identity information about users Service Providers (SP) consume this information and make it available to an application An IdP or SP is generically known as an entity The first principle within federated identity management is the active protection of user information Protect the user’s credentials only the IdP ever handles the credential Protect the user’s identity information, including identifier customized set of information released to each SP

95 Advantages of FIM Reduces work Provides current data
Insulation from service compromises Minimize attack surface area

Download ppt "Authentication Ref: Mark Stamp’s “Information Security, Principles & Practice”"

Similar presentations

Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication & Kerberos

Authentication & Kerberos
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Similar presentations

Ads by Google