Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé

Published byКонстантин Ђурђевић Modified over 5 years ago

Similar presentations

Presentation on theme: "Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé"— Presentation transcript:

1 Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Arizona State University

2 Authentication vs. Authorization
Who are you? Authorization What can you do?

3 Authentication Terms Principal Identity Subject Authentication
Unique entity Identity Specifies a principal Internal representation of an entity Subject Acts on behalf of an entity Authentication Binding an identity to a subject

4 Authentication Mechanisms
What you know What you possess What you are Where you are

5 Authentication System
(A, C, F, L, S) A authentication information that proves identity C complementary information stored on a computer and used to validate authentication information F complementation functions for f ∈ F , f : A -> C L authentication functions that verifies identity for l ∈ L , l : A x C -> {True, False} S selection functions enabling entity to create or alter information in A or C

6 Password System Passwords stored in plaintext Authentication System
A set of string that can be used for password C = A F singleton set of complementation function { f} L single equality test operation { eq } S function to set/change password

7 UNIX Standard Hash Function
A = { strings of 8 chars or less } C = { 2 char hash id || 11 char hash } F = { 4096 versions of modified DES } L = { login, su, … } S = { passwd, nispasswd, passwd+, …}

8 UNIX Standard Hash Function
external entities service provider S: create a password alice :: password A F: generate an encrypted password principal (alice) L: A x C  {True, False} F(password) = y5SfcRm53cpiE ? alice:y5SfcRm53cpiE:12:23:Alice User:/bin/sh C

9 High-Level Attacking Authentication
Attacker’s Goal Find a ∈ A s.t. For some f ∈ F, f(a) = c ∈ C c is associated with entity Direct approach Attacker has a c, find a f(a) = c Attacker does not have c, find a, l(f, a) = True

10 Preventing Attacks Hide one of a, f, or c Can we hide L?
Prevents some types of attacks Unix/Linux shadow password files Can we hide L? Prevents attacker from knowing if guess succeeded Preventing any network-based logins or restrict logins to only IP address

11 Password-based Authentication
Most common Passwords are the worst form of authentication ... except for all those other forms that have been tried from time to time. Paraphrasing Winston Churchill Several problems Inherent vulnerabilities easy to guess easy to snoop easy to lose no control on sharing social engineering Practical vulnerabilities Visible over insecure distributed and networked systems Susceptible to replay attacks Password reuse Requires proactive management

12 Dictionary Attack General attack for all password-based authentication
Try to use each word in the dictionary or word file w, compute f(w), check f(w) == c Is it possible to search all possible passwords? Easy to search all likely passwords!

13 Dictionary Attack Offline Online
Know f and c, repeatedly try different guesses crack, john-the-ripper Online Have access to functions in L and try guesses until l(g) succeeds Logging into a website guessing a password

14 Countering Password Guessing
Deny access to C (complementary information) All guesses must be online Hard to guarantee Add delay to L when incorrect Many systems do this Increase time to compute f(a) Use a different hashing function

15 Rainbow Tables Essentially precompute the size of some key space
Why not just store key and hash? Rainbow tables allow a tradeoff between time to crack and space required Space requirements are large MD5 1-8 character alphanumeric 127GB MD5 1-9 character alphanumeric 690GB

16 Salts Add a random value, salt, to each password before it is hashed
salt is public and know Therefore, each password hash is unique Essentially selecting a different f for every user

17 “Slow” Hashes Controllable work factor bcrypt scrypt
Stored with the salt and hash bcrypt Designed to be a slow hash Used on submission server Computing hash takes 300ms on server scrypt Designed to take memory to perform hash

18 Password Reuse How many passwords do you have?
For what service? Are they all equally secure? What happens if one of your passwords is leaked? 3.5B Yahoo (2013) 412M Adult Friend Finder (2016) 152M Adobe (2013) 145M eBay (2014)

19 Adobe Breach

20 Adobe Breach

21 Password Managers Keep track of passwords and generate random passwords per website Encrypted/locked with a “master” password Who do you trust? Many options LastPass 1Password KeePass

22 Password Recovery What happens when you forget your password?
Completely locked out of account? Most work by sending to your registered account with a link to reset your password Is this secure? What does this mean about the security of your inbox?

23 Two-Factor Authentication
Two things required for authentication Based on the authentication categories Google authenticator DuoSecurity (ASU uses this)

24 CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart Is CAPTCHA authentication? How to break CAPTCHA?

25 Additional Authentication Mechanisms
Token-based authentication Google 2FA Hardware token Address-based authentication Restrict access to VPN or server based on IP address Location-based authentication Unlocking car only when “close” Biometrics-based authentication Fingerprint readers Voice recognition Face recognition

26 Authentication Research
Continuous authentication Continuously verify the user Replacing passwords FIDO Access/authentication delegation OAuth 2.0 ASU online services

Download ppt "Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé"

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
CS526: Information Security Chris Clifton October 16, 2003 Authentication.

CS526: Information Security Chris Clifton October 16, 2003 Authentication.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Similar presentations

Ads by Google