Exercise: Password Auditing

Slides:



Advertisements
Similar presentations
Lecture 6 User Authentication (cont)
Advertisements

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication.
Outline User authentication
Security-Authentication
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Authentication, Authorization and Accounting
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Chapter 10: Authentication Guide to Computer Network Security.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Information Security for Managers (Master MIS)
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.
Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.
Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
Biometrics Authentication Technology
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Authentication What you know? What you have? What you are?
Access Control / Authenticity Michael Sheppard 11/10/10.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Host and Application Security Lesson 8: You are you… mostly.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Authentication, Authorization and Accounting Lesson 2.
Virtual Private Networks
CSCE 522 Identification and Authentication
Challenge/Response Authentication
Identity and Access Management
Outline The basic authentication problem
CSCE 522 Identification and Authentication
Challenge/Response Authentication
Information Security message M one-way hash fingerprint f = H(M)
Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé
Authentication.
SECURITY in IT ~Shikhar Agarwal.
Authentication.
Security Barriers Asset Proper Access Attack Security System
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
By Hyun-Chul Kim, Hong-Woo Lee, Kyung-Seok Lee, Moon-Seog Jun
Strong Password Authentication Protocols
Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé
Faculty of Science IT Department Lecturer: Raz Dara MA.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
Chapter Goals Discuss the CIA triad
COEN 351 Authentication.
Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé
Presentation transcript:

Exercise: Password Auditing 2016 GenCyber JMU Bootcamp for High School Teachers

The IFF Problem Identify friend or foe (IFF) “Who is there? F22 stealth bomber “Who is there? Identify yourself” “I am your friend. Do not shoot me!”

Entity Authentication Verification F22 stealth bomber Prove it! “Who the heck are you?”

Authentication Factors How to authenticate an entity? Something that you know {proof by knowledge}: password, PIN code, combinations to locks Something that you have {proof by possession} : physical key, membership card, cell phone Security Identity Module (SIM) card, smart card, hardware token: USB token, smart card Something that you are {proof by property; physical characteristic recognition (PCR)}  biometric Something that you do (behavioral characteristic recognition [BCR]): writing speed, writing pressure, typing speed/intervals between key strokes  biometric The place that you are: IP address (on-line digital database: ACM, IEEE, Springer), location by Global Positioning System (GPS) Easy to revoke Sharable Easy to revoke Transferable This slide lists five different levels of authentication. Hard to revoke Non-transferable

Password Authentication: Necessary Evil PVD v w Alice memorizes a password Computer stores password verification data (PVD, password verifier) Local authentication Alice gives her password to the computer for authentication In a password-based authentication system, a client memorizes a password and a server stores the related password verification data (PVD). Typically, the password verification data is the hash of the password, user ID and a random salt (a public value).

Remote Password Authentication PVD v Harder v has to be calculated from w Many ways Microsoft Windows: LM, NTLM Linux Database On the web How does the one-time password scheme work? After Alice picks a reusable password, p, the server picks an integer n and calculates the PVD as hn(p). Please pay attention to the definition of hn(p) The server stores both n and PVD.

What will we do in this exercise? PVD v A bad guy steals v from (MS Windows, MySQL database) Can the bad guy recover w? How to make it harder for the bad guy? How does the one-time password scheme work? After Alice picks a reusable password, p, the server picks an integer n and calculates the PVD as hn(p). Please pay attention to the definition of hn(p) The server stores both n and PVD.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.