Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control."— Presentation transcript:

1 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 1 Authentication and access control overview March 20, 2007

2 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives Access control Case study: Convenient SecureID Case study: Website mutual authentication

3 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 3 Definitions Identification - a claim about identity Who or what I am (global or local) Authentication - confirming that claims are true I am who I say I am I have a valid credential Authorization - granting permission based on a valid claim Now that I have been validated, I am allowed to access certain resources or take certain actions Access control system - a system that authenticates users and gives them access to resources based on their authorizations Includes or relies upon an authentication mechanism May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations

4 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 4 Building blocks of authentication Factors Something you know (or recognize) Something you have Something you are Two factors are better than one Especially two factors from different categories What are some examples of each of these factors? What are some examples of two-factor authentication?

5 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 5 Authentication mechanisms Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics

6 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 6 Evaluation Accessibility Memorability Security Cost Environmental considerations

7 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 7 Typical password advice

8 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 8 Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down So what do you do when every web site you visit asks for a password?

9 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 9 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

10 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 10

11 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 11 Problems with Passwords Selection Difficult to think of a good password Passwords people think of first are easy to guess Memorability Easy to forget passwords that aren’t frequently used Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters Reuse Too many passwords to remember A previously used password is memorable Sharing Often unintentional through reuse Systems aren’t designed to support the way people work together and share information

12 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 12 Four Mnemonic Passwords First letter of each word (with punctuation) fsasya,oF Substitute numbers for words or similar-looking letters 4sa7ya,oF Substitute symbols for words or similar-looking letters F 4sasya,oF Four 4sa7ya,oF 4s&7ya,oF score s anda seven s yearsy ago a,, our oFathers F Source: Cynthia Kuo, SOUPS 2006

13 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 13 The Promise? Phrases help users incorporate different character classes in passwords Easier to think of character-for-word substitutions Virtually infinite number of phrases Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006

14 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 14 The Problem? “Goodness” of mnemonic passwords unknown Yan et al. compared regular, mnemonic, and randomly generated passwords  Used standard (non-mnemonic) dictionary  Effectively evaluated whether mnemonic passwords contained dictionary words Source: Cynthia Kuo, SOUPS 2006

15 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 15 Source: Cynthia Kuo, SOUPS 2006 Mnemonic password evaluation Mnemonic passwords are not a panacea for password creation No comprehensive dictionary today May become more vulnerable in future Many people start to use them Attackers incentivized to build dictionaries Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

16 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 16 Password keeper software Run on PC or handheld Only remember one password

17 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 17 Single sign-on Login once to get access to all your passwords

18 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 18 BiometricsBiometrics

19 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 19 Graphical passwords

20 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 20 “Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently used sites?

21 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 21 Types of access control Discretionary access control Distributed, dynamic, users set access rules for resources they own and can delegate access to others Role-based access control Centralized admin assigns users to roles and sets access rules based on roles And many others that vary discretionary/mandatory, centralized/distributed, granularity, grouping

22 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 22 Access control usability problems Admins, large organizations understanding large access control policies Someone in marketing changed a policy and now we can’t figure out why people in sales no longer have access to a document Who has access to this document anyway? End users creating and understanding policies Examples: File system permissions, Grey, Perspective, privacy rules Home users want to share some files with some other users, but don’t want to share everything

23 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 23 Convenient SecureID Sources: http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx http://fob.webhop.net/ What problems do these approaches solve? What problems do they create?

24 Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong http://cups.cs.cmu.edu/courses/ups-sp07/ 24 Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable- authentication/2007Mar/0004.html 1.User gets ID, password (or alternative), image, hotspot at enrollment 2.Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons 3.Then login box appears and user enters username and password (or alternative) 4.Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear) 5.User finds their image and clicks on hotspot  Image manipulation can help prevent replay attacks What problems does this solve? What problems doesn’t it solve? What kind of testing is needed

Download ppt "Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control."

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Building Secure Mashups D. K. Smetters PARC Usable.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Online Submission and Management Information -- Authors

Online Submission and Management Information -- Authors
Access Control Methodologies

Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication.

Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.

CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.
CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.

CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Similar presentations

Ads by Google