CSCE 522 Identification and Authentication

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication & Kerberos
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.
1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.
CSCE 548 Secure Software Development Weak Password-Based Systems Store and Protect Data Securely Information Leakage Failure to Handle Errors Correctly.
Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Authentication What you know? What you have? What you are?
Access Control / Authenticity Michael Sheppard 11/10/10.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
CSCE 522 Identification and Authentication
Challenge/Response Authentication
Chapter 5 Network Security Protocols in Practice Part I
Outline The basic authentication problem
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Challenge/Response Authentication
Cryptography and Network Security
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Authentication.
Radius, LDAP, Radius used in Authenticating Users
Authentication Applications
Network Security Unit-VI
Tutorial on Creating Certificates SSH Kerberos
Security Barriers Asset Proper Access Attack Security System
پروتكلهاي احرازاصالت Authentication protocols
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
KERBEROS.
Authentication Chapter 2.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
Chapter Goals Discuss the CIA triad
COEN 351 Authentication.
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

CSCE 522 Identification and Authentication

Reading Reading for this lecture: Required: Pfleeger: Ch. 2.1 An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 16, Identification and Authentication, pages 180-194 Interesting read: Thanasis Petsas, Giorgos Tsirantonakis, Elias Athanasopoulos, and Sotiris Ioannidis. 2015. Two-factor authentication: is the world ready?: quantifying 2FA adoption. In Proceedings of the Eighth European Workshop on System Security (EuroSec '15). ACM, New York, NY, USA, , Article 4 , 7 pages., http://dl.acm.org/citation.cfm?id=2751323.2751327&coll=DL&dl=ACM&CFID=722323573&CFTOKEN=51590717 Smart Card Alliance, http://www.smartcardalliance.org/ Entrust, authentication news http://www.entrust.com/category/authentication-2/ Certificate Authority GlobalSign Loses Critical Data to ComodoHacker, http://techie-buzz.com/tech-news/globalsign-attack-certificate-authority-data-leak.html , Sept 8, 2011 Reading for next lecture: Pfleeger: Ch. 2.2 CSCE 522 - Farkas

Identification Establishes the identity of an individual/system/ap-plication/etc. Proof of identity: password, driver’s license, Id card, etc. CSCE 522 - Farkas

Authentication Allows an entity (a user or a system) to prove its identity within a context, e.g., computer system Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier CSCE 522 - Farkas

Authentication Information Must be securely maintained by the system. CSCE 522 - Farkas

Elements of Authentication Person/group/code/system: to be authenticated Distinguishing characteristics: differentiates the entities to be authenticated Proprietor/system owner/administrator: responsible for the system Authentication mechanism: verify the distinguishing characteristics Access control mechanism: grant privileges upon successful authentication CSCE 522 - Farkas

Authentication Requirements Network must ensure Data exchange is established with addressed peer entity not with an entity that masquerades or replays previous messages Network must ensure data source is the one claimed Authentication generally follows identification Establish validity of claimed identity Provide protection against fraudulent transactions CSCE 522 - Farkas

User Authentication What the user knows What the user possesses Password, personal information What the user possesses Physical key, ticket, passport, token, smart card What the user is (biometrics) Fingerprints, voiceprint, signature dynamics CSCE 522 - Farkas

Passwords Commonly used method For each user, system stores (user name, F(password)), where F is some transformation (e.g., one-way hash) in a password file F(password) is easy to compute From F(password), password is difficult to compute Password is not stored in the system When user enters the password, system computes F(password); match provides proof of identity CSCE 522 - Farkas

Vulnerabilities of Passwords Inherent vulnerabilities Easy to guess or snoop No control on sharing Practical vulnerabilities Visible if unencrypted in distributed and network environment Susceptible for replay attacks if encrypted naively Password advantage Easy to modify compromised password. CSCE 522 - Farkas

Attacks on Password Guessing attack/dictionary attack Social Engineering Sniffing Trojan login Van Eck sniffing CSCE 522 - Farkas

Guessing Attack Exploits human nature to use easy to remember passwords Trial-and-error attack Easy to detect (failed logins) and block Problem: if the attacker has access to the password file (even if it is encrypted) Need audit mechanism CSCE 522 - Farkas

Social Engineering Attacker asks for password by masquerading as somebody else (not necessarily an authenticated user) May be difficult to detect Protection against social engineering: strict security policy and users’ education CSCE 522 - Farkas

Dictionary Attacks on Passwords Create dictionary of common words and names and their simple transformations Use these to guess password Attack 2: Usually F is public and so is the password file (encrypted) Compute F(word) for each word in dictionary Find match CSCE 522 - Farkas

Password Salt Used to make dictionary attack more difficult Salt is a 12 bit number between 0 and 4095 It is derived from the system clock and the process identifier Compute F(password+salt); both salt and F(password+salt) are stored in the password table User: gives password, system finds salt and computes F(password+salt) and check for match Better!: use a random number, user authenticates by sending F(password+random number) || random number CSCE 522 - Farkas

Password Management Policy Educate users to make better choices Define rules for good password selection and ask users to follow them Ask or force users to change their password periodically Actively attempt to break user’s passwords and force users to change broken ones Screen password choices CSCE 522 - Farkas

Use the password exactly once! One-time Password Use the password exactly once! The first use of the password would grant access; a second or subsequent use of the same password would not CSCE 522 - Farkas

Lamport’s scheme Doesn’t require any special hardware System computes one-way function F, such as F(x),F2(x),…, F1000(x) System stores user’s name and F1000(x) User supplies F999(x) the first time If the login is correct, system replaces F1000(x) with F999(x) Next login: user supplies F998(x) … and so on User calculates Fn(x) using a hand-held calculator, a workstation, or other devices CSCE 522 - Farkas

Time Synchronized There is a hand-held authenticator It contains an internal clock, a secret key, and a display Display outputs a function of the current time and the key It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function and its clock to calculate the expected output Login is valid if the values match CSCE 522 - Farkas

Time Synchronized Problem: Need time synchronization between device and server Secret key Time DES One Time Password CSCE 522 - Farkas

Challenge Response Network Work station Host Non-repeating challenges from the host is used The device requires a keypad Network Work station Host User ID Challenge Response CSCE 522 - Farkas

Challenge Response Secret key Challenge DES One Time Password CSCE 522 - Farkas

Devices with Personal Identification Number (PIN) Devices are subject to theft, some devices require PIN (something the user knows) PIN is used by the device to authenticate the user Problems with challenge/response schemes Key database is extremely sensitive This can be avoided if public key algorithms are used CSCE 522 - Farkas

Smart Cards Portable devices with a CPU, I/O ports, and some nonvolatile memory Can carry out computation required by public key algorithms and transmit directly to the host Some use biometrics data about the user instead of the PIN CSCE 522 - Farkas

Biometrics Fingerprint Retina scan Voice pattern Signature Typing style CSCE 522 - Farkas

Problems with Biometrics Expensive Retina scan (min. cost) about $ 2,200 Voice (min. cost) about $ 1,500 Signature (min. cost) about $ 1,000 False readings Retina scan 1/10,000,000+ Signature 1/50 Fingerprint 1/500 Can’t be modified when compromised CSCE 522 - Farkas

Identity Management Distributed, heterogeneous domain User credentials Performance pswd pswd System 1 System 2 I am Ann. Here is my Password1. I am Ann. Here is my Password2. pswd I am Ann. Here is my Password3. System 3 CSCE 522 - Farkas

Identity Management cont. Need verifiable proof of identity – without being authenticated during every single interaction Digital certificate: links identity and public key together A user can prove his/her identity by signing the messages with his/her private key CSCE 522 - Farkas

Digital Certificates Most common digital certificate: X.509 Initially issued in 1988 Rely on PKI and hierarchy of certificate authorities Certificate Authority: issue and revoke digital certificates, accepts user notifications, publishes revocation list CSCE 522 - Farkas

Digital Certificates Basic Content … Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Certificate Signature Algorithm Certificate Signature CSCE 522 - Farkas

Problem with X.509 Large file Long duration  needs validation of certificate for revocation Why are digital certificates revoked? Exposure of private key Incorrect/unauthorized issuance Termination of assignment CSCE 522 - Farkas

Return to Multiple Authentication Verify Certificate System 1 System 2 I am Ann. Here is my X.509 I am Ann. Here is my X.509 I am Ann. Here is my X.509 System 3 CSCE 522 - Farkas

Single Sign On Verify Certificate SAML token SAML token SAML token I am Ann. Here is my X.509. Give me a locally verifiable token. System 1 System 2 I am Ann. Here is my SAML token SAML token I am Ann. Here is my SAML token System 3 CSCE 522 - Farkas

Next Class Access Control CSCE 522 - Farkas

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.