Single Password, Multiple Accounts

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Enterprise Single Sign On Identity management for web applications.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Strong Password Protocols
INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.
Session 11: Security with ASP.NET
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
The Secure Password-Based Authentication Protocol
Lecture 11: Strong Passwords
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
1 Mail Saurus Reference:“Usable Encryption Enabled by AJAX” J.F. Ryan; B.L. Reid; Networking and Services, ICNS '06. Digital Object Identifier /ICNS
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Kerberos Guilin Wang School of Computer Science 03 Dec
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
Communications & Networks National 4 & 5 Computing Science.
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
Security Distributed Systems Lecture # 14. Why care about security? Authentication Use another person’s ID for sending Non-repudiation E-commerce.
SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LM/NTLMv1 Retirement Hosted by LSP Services.
Introduction to Networking. What is a Network? Discuss in groups.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
KERBEROS. Introduction trusted key server system from MIT.Part of project Athena (MIT).Developed in mid 1980s. provides centralised private-key third-party.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
The Secure Sockets Layer (SSL) Protocol
IP Security – Session 1 – Basic Security Principles
網路環境中通訊安全技術之研究 Secure Communication Schemes in Network Environments
Secure Software Confidentiality Integrity Data Security Authentication
CMSC 414 Computer and Network Security Lecture 15
A Wireless LAN Security Protocol
Some bits on how it works
Efficient CRT-Based RSA Cryptosystems
Chapter 27: System Security
WI / XA Integration with NetScaler Gateway: How it works
Strong Password Protocols
Strong Password Protocols
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Kerberos.
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
The Secure Sockets Layer (SSL) Protocol
Strong Password Protocols
Single Sign On Glen Dorton 1/18/2019.
Unit 8 Network Security.
Wireless Spoofing Attacks on Mobile Devices
Presentation transcript:

Single Password, Multiple Accounts Mohamed G. Gouda, Alex X. Liu, Lok M. Leung, Mohamed A. Alam Department of Computer Sciences The University of Texas at Austin June, 2005

Multiple Accounts Most users have multiple accounts on Internet Bank: http://www.chase.com Email: http://mail.yahoo.com Travel: http://www.travelocity.com Each account requires a password Insecure common practice: same password for all accounts To steal someone’s password, attackers can: set up a malicious server, or break into a low security server

Single Password Protocol (SPP) Allow a server to authenticate a client (without server knowing the client’s password at any time) Can counter the following: Malicious server attacks Password file attacks Message log attacks Server spoofing attacks

SPP Version 1 Currently used in HTTP Communication is encrypted using session key (SSL) Vulnerable to malicious server attacks C knows P S stores MD(P) C  S: C, P

SPP Version 2 Use challenge/response Vulnerable to password file attacks C knows P S stores n, MD(n|P) C  S: C C  S: n C  S: MD(n|P)

SPP Version 3 Vulnerable to message log file attacks C knows P S stores n, MD2(n|P) C  S: C C  S: n C  S: MD(n|P)

SPP Version 4 Vulnerable to server spoofing attacks C knows P S stores ni, MD2(ni|P) C  S: C C  S: ni C  S: MD(ni|P), ni+1, MD2(ni+1|P)

Server Spoofing Attacks Malicious server S knows: ni, MD2(ni|P) Benign server S’ knows: mi’, MD2(mi|P) C S S’ C C mi mi MD(mi|P), mi+1, MD2(mi+1|P) MD(mi|P), mi+1, MD2(mi+1|P)

Final Version SPP Two techniques: C knows P S stores ni, MD2(ni|S|P) Challenge/Response One-time server-specific tickets C knows P S stores ni, MD2(ni|S|P) C  S: C C  S: ni C  S: MD(ni|S|P), ni+1, MD2(ni+1|S|P)

Related Work: One-Time Password Protocols Use different password for each authentication Protocols: [Lamport 81] [Rubin 95] Motivation: prevent eavesdropping Invented before SSL

Related Work: Strong Password Protocols Strong security properties Protocols: [Bellovin 92-EKE] [Wu 98-SRP]… Motivation Establish a session key (SPP uses SSL) Prevent dictionary attacks (SPP uses single strong password) Computational intensive (Not suitable for web) modular exponentiations, asymmetric encryptions/decryptions

Related Work: Single Sign-on Protocols Use one central server to authenticates clients for multiple servers. Thus one password/user. Protocols: Microsoft Password Protocol Disadvantages: Single point of failure Lacks of wide deployment High incentive for attackers

Conclusions Single Password Protocol (SPP) is Simple Efficient Secure

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.