Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004."— Presentation transcript:

1 1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004

2 2 Outline  Authentication mechanisms  Dictionary attacks  Passwords  Defense against attacks

3 3 Authentication  Authentication is the binding of an identity to a subject  How? what the subject knows what the subject has what the subject is where the subject is

4 4 Authentication Mechanisms (1/2)  Set A of authentication information: specific information used to prove identity (belongs to subject)  Set C of complementation information: system stores this to use for validation  Set F of complementation functions: generate complementation information from authentication information f  F, f: A  C

5 5 Authentication Mechanisms (2/2)  Set L of authentication functions: verify identity l  L, l: A  C  { true, false }  Set S of selection functions: enable a subject to create or alter the authentication and complementation information

6 6 Passwords  A password is information associated with a user that confirms the user's identity  Passwords may be generated by a system and given to users or selected by the users

7 7 Dictionary Attack  Guess a password by repeated trial and error using a list of words (the dictionary)  Type 1: complementation information C and complementation function f are known compute f(g) for each guess g look for match in C  Type 2: use l(a, g) for each guess g

8 8 Bad Passwords (1/6)  Many user-selected passwords are easy to guess via dictionary attack 1. Passwords based on account names 2. Passwords based on user names 3. Passwords based on computer names 4. Dictionary words 5. Reversed dictionary words 6. Dictionary words with some or all letters capitalized

9 9 Bad Passwords (2/6) 7. Reversed dictionary words with some or all letters capitalized 8. Dictionary words with arbitrary letters turned into control characters

10 10 Bad Passwords (3/6) 9. Dictionary words with any of the following changes: a) a -> 2 or 4 b) e -> 3 c) h -> 4 d) i -> 1 e) l -> 1 f) o -> 0 g) s -> 5 or $ h) z -> 5

11 11 Bad Passwords (4/6) 10. Conjugations or declensions of dictionary words 11. Patterns from the keyboard 12. Passwords shorter than 6 characters 13. Passwords containing only digits 14. Passwords containing only uppercase or lowercase letters, or letters and numbers, or letters and punctuation 15. Passwords that look like license plate numbers

12 12 Bad Passwords (5/6) 16. Acronyms or abbreviations 17. Passwords used in the past 18. Concatenations of dictionary words 19. Dictionary words preceded or followed by digits, punctuation marks, or spaces 20. Dictionary words with all vowels deleted 21. Dictionary words with white spaces deleted

13 13 Bad Passwords (6/6) 22. Passwords with too many characters in common with the previous (current) password

14 14 Good Passwords (1/2)  at least one digit  at least one letter  at least one punctuation symbol

15 15 Good Passwords (2/2)  Take a verse and select from it "Where were you when we were getting high?" -> wwywwwgh?  Change repetition to count wwywwwgh? -> w2yw3gh?

16 16 Defensive Strategies  Salting: change the complementation function based on the user  Backoff: wait longer after each failed attempt  Disconnection  Disabling

17 17 Password Aging  Require new password every N days  Need to prevent "changing" to same password  Could prevent reuse of a password for a fixed time period  Need to give users notice before requiring a new password

18 18 Challenge Response  System and user share a secret function f  System sends random message m [challenge]  User replies with f(m) [response]

Download ppt "1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Chapter 12: Authentication

Chapter 12: Authentication
Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008.

Access Control and Site Security (Part 1) Thursday 1/17/2008) © Abdou Illia – Spring 2008.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
CS526: Information Security Chris Clifton October 16, 2003 Authentication.

CS526: Information Security Chris Clifton October 16, 2003 Authentication.
Password Management PA Turnpike Commission

Password Management PA Turnpike Commission
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.

Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.

File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
Week 7 - Friday.  What did we talk about last time?  OS security  Directory-based systems  Access control lists.

Week 7 - Friday.  What did we talk about last time?  OS security  Directory-based systems  Access control lists.

Similar presentations

Ads by Google