Presentation is loading. Please wait.

Presentation is loading. Please wait.

G53SEC 1 Authentication and Identification Who? What? Where?

Published byChad Booth Modified over 8 years ago

Similar presentations

Presentation on theme: "G53SEC 1 Authentication and Identification Who? What? Where?"— Presentation transcript:

1 G53SEC 1 Authentication and Identification Who? What? Where?

2 G53SEC Coursework NOT team work You will need to solve TWO problems, e.g. firewall AND spam filter Labs will start week commencing 20 Feb 2012 Submission deadline will be BEFORE EASTER BREAK Some useful hints about the coursework will be given to you within the next couple of weeks (after you start working on the problems) 2

3 G53SEC Overview of Today’s Lecture: Username and Password Managing Passwords Choosing Passwords Spoofing Attacks Protecting the Password File Single Sign-On Alternative Approaches Summary 3

4 G53SEC Username and Password: Identification – Who you are Authentication – The process of verifying a claimed identity TOCTTOU – time of check to time of use Repeated authentication – at start as well as during a session 4

5 G53SEC Username and Password (continued): First line of defence + Widely accepted + Not too difficult to implement - Managing passwords – expensive - Common way of getting in 5

6 G53SEC Exmaples of potential hazards… forgotten passwords password guessing password spoofing compromise of the password file Remember User has a vital role in password protection 6

7 G53SEC Managing Passwords: Password = a secret between user and system Issues Password ends up in right hands? Interception? No password yet? New passwords – delay ok Forgotten passwords – instant remedy necessary 7

8 G53SEC Choosing Passwords: Critical security issue Keeping probability of guessing to minimum Guessing strategies: Exhaustive search – brute force Intelligent search – e.g. dictionary attack 8

9 G53SEC continued… Defences: Change default passwords Password length Password format Avoid obvious passwords 9

10 G53SEC continued… Further security improvements: Password checkers Password generation Password aging Limit login attempts A combination of all those = highest security? 10

11 G53SEC continued… 11

12 G53SEC continued… People forget Contact an operator Opens a way for a new attack – Social Engineering Regularly used passwords best remembered Tip - don’t change passwords before the weekend or holidays 12

13 G53SEC Spoofing attacks: Unilateral authentication – one way No guarantee about end system Spoofing attack e.g. Fake login screen Prevention display failed login attempts trusted path (e.g. ctrl+alt+del) mutual authentication 13

14 G53SEC continued… Password caching password temporarily stored (buffer, cache, web page) beyond control of user sometimes for too long. 14

15 G53SEC 15 Protecting the Password File: Password compared to an entry in a password file An attractive target for an attacker Protection Cryptography Access control enforced by the OS Combination of the above

16 G53SEC 16 Cryptography: One-way Function A function that is relatively easy to compute but significantly harder to undo or reverse. x f(x) f(x) x f(x) is stored in the password file f(x) compared to computed f(x’) from x’ supplied by user

17 G53SEC 17 Access Control: Access Control Restricts access to files and resource to users with appropriate privileges Password file can’t be world readable - Off-line dictionary attacks or writeable - Change password

18 G53SEC 18 continued… Password salting Password + Additional Info (Salt) - > Encrypt Remember Combination of mechanisms can enhance protection Separate security relevant and openly available data (e.g. /etc/passwd and shadow password files)

19 G53SEC 19 Single Sign-On: Not convenient to repeatedly authenticate Whether one or multiple passwords Single Sign-On Password entered once. Stored by system and subsequently authenticating on your behalf. Convenient But new problems arise – storage of password

20 G53SEC 20 Alternative Approaches used for Authentication: Something you know Something you hold Who you are What you do Where you are

21 G53SEC 21 Something You Know: Knowledge of a “secret” - Password - PIN - Personal Details Anybody who obtains your secret = YOU No trace of passing secret to someone else Can you prove your innocence?

22 G53SEC 22 Something You Hold: Physical token - A key to a lock - Card (Smart cards, RFID cards) - Identity Tag Can be lost or stolen Again the one in possession becomes you Used in combination with something you know

23 G53SEC 23 Something You Are: Biometric schemes – unique physical characteristics - Face - Fingerprints - Iris patterns, etc… Accuracy of training and authentication “forged” fingers Mutilations Acceptable by users?

24 G53SEC 24 Biometrics: 1.Enrolment - Collection and storage of reference templates 2.Identification – Finding a user in a database of templates 3.Verification - Comparison against the reference template of identified user Matching algorithm – calculates similarity between reference template and current reading. If similarity above certain threshold, accept user.

25 G53SEC 25 Biometrics: False positives – Accepting the wrong user False negatives – Rejecting a legitimate user A balance needs to be found! State-of-the-art fingerprint recognition schemes have error rates of around 1-2%

26 G53SEC 26 What You Do: Mechanical Tasks – repeatable and specific to individual - Handwritten signatures - Writing speed and pressure - Keyboard typing speed and intervals between keys Again needs to take into account false positives and negatives

27 G53SEC 27 Where You Are: Location of access - Operator console vs. arbitrary terminal - Office workstation vs. home PC - Geographical location IP address or GPS for locating users Not reliable on its own Should be used in combination with other mechanisms

28 G53SEC 28 To remember: - A Password does not authenticate a person! - Successful authentication = user knows a particular secret - No way of distinguishing legitimate user and attacker who obtained the user’s credentials

29 G53SEC 29 Summary: Passwords (creation, management) Attacks on passwords Alternative approaches Next Week Access Control

30 G53SEC End 30

Download ppt "G53SEC 1 Authentication and Identification Who? What? Where?"

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Biometrics and Authentication Shivani Kirubanandan.

Biometrics and Authentication Shivani Kirubanandan.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.

Similar presentations

Ads by Google