CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

Slides:



Advertisements
Similar presentations
1 Identification Who are you? How do I know you are who you say you are?
Advertisements

Password Cracking Lesson 10. Why crack passwords?
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security-Authentication
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Biometrics Part 2  Access Control 1.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
CIS 450 – Network Security Chapter 8 – Password Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Lecture 11: Strong Passwords
Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
G53SEC 1 Authentication and Identification Who? What? Where?
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization:
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Lecture 5 User Authentication modified from slides of Lawrie Brown.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.
Access Control Authentication: Who goes there? Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization:
Authentication What you know? What you have? What you are?
Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Computer and Information Security Chapter 7 Authentication 1.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Identification and Authentication
Authentication Schemes for Session Passwords using Color and Images
Password Cracking Lesson 10.
NET 311 Information Security
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
Outline Introduction Basic authentication mechanisms.
COEN 351 Authentication.
Outline Introduction Basic authentication mechanisms.
Presentation transcript:

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION

Introduction There are two primary parts to access control:  Authentication  Authorization Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource.

Authentication Methods The human can be authenticated to a machine based on any combination of the following: 1. Something you know e.g. Password 2. Something you are e.g. Fingerprint 3. Something you have e.g. ATM card

1. Something You Know - Passwords Password is:  something that you know  something that computer can verify that you know  something nobody else can guess-even access to unlimited computing resources. One important fact regarding passwords is that many things act as password.  E.g. the PIN number for an ATM card One solution to the password problem would be use randomly generated cryptographic keys in place of passwords. How?

Keys Versus Passwords If a password is 8 characters long (8 bytes) with 256 possible choices for each character  possible passwords.  E.g. password If a key with 64-bit (8 bytes) cryptographic key  2 64 possible keys. (Trudy must try 2 63 keys before she expects to find the correct one)  E.g. Kf&Yw!a[ Although 2 64 = (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.

Choosing Passwords Some passwords better than others. For example the following passwords are weak:  Frank (your name)  (your birthday) Users should have passwords that are difficult to guess:  jFiEk(43j-EmmL+y  BedL1ON

Attacking Systems via Passwords A common attack path for Trudy would be: outsider normal user administrator One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.

Password Verification Problem:  Storing “raw” passwords is not secure Solution:  Storing hashed passwords is more secure.

Password Verification Problem: 1. Suppose Trudy has a “dictionary” containing N passwords: d 0, d 1, d 2, …, d N-1 she could pre-compute the hash of each password: y 0 =h(d 0 ), y 1 =h(d 1 ), y 2 =h(d 2 ), …, y N-1 =h(d N-1 ) 2. Trudy can guess the password p if she found h(p) is similar to one of the pre-compute hash y x Soulution: 1. generate a random salt value s (Note: the s is not secret) 2. compute y = h(p,s) 3. store the pair (s,y) in the password file. 4. To verify an entered password z, compute h(z,s) = y

Math of Password Cracking Supposed that:  All passwords are eight characters in length  there are 256 choices for each character resulting in  = 2 56 possible passwords Number of possible choices in each cell (byte/bit/…) Number of cells (byte/bit/…)

Math of Password Cracking Case I: Trudy decides that she wants to find Alice’s password. (Assuming that Alice’s password contains of 8 bytes) This is precisely equivalent to an exhaustive key search and the expected work is 2 56 /2=2 55

Math of Password Cracking Case II: Trudy again wants to recover Alice’s password, but she is going to use her dictionary of common passwords. (Assuming that any given password will appear in the dictionary with a probability of about ¼, and Trudy has a dictionary of 2 20 common passowords) The expected work is: ¼(2 19 )+¾(2 55 )≈2 54.6

Math of Password Cracking Case III: Trudy will be satisfied to find any one of the 1024 passwords in the hashed password file without using any dictionary (Assuming that the password file contains 2 10 = 1024 hashed passwords, and all of them are distinct) The expected work is: 2 55 /2 10 = 2 45

Math of Password Cracking Case IV: Trudy wants to find anyone of the 1024 passwords in the hashed password file, and she will make use of her dictionary. The expected work is:  Not salted password: 2 19 / 2 10 = 2 9  Salted password: ¼(2 19 )+ ¾.¼( )+(¾) 2 ¼( )+ … +(¾) 1023 ¼( ) < 2 22

Other Password Issues/Problems Remembering different passwords is difficult “Social engineering” is when someone claiming to be a system administrator and needs your password Password cracking tools, such as:  L0phtCrack (for Windows) - now called LC5: used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute- force, and hybrid attacks.  John the Ripper (for Unix) run against various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash

2. Something You Have - Biometrics Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key” There are many different types of biometrics as fingerprints and handwritten signatures.

Biometrics A biometric should be  Universal: The ideal biometric should apply to virtually everyone.  Distinguishing: The ideal biometric should distinguish with virtual certainty.  Permanent: The physical characteristic being measured should never change.  Collectable: The physical characteristic should be easy to collect without any potential to cause harm to the subject.  Reliable, robust, and user-friendly

Biometrics Usage 1. Identification:  Identify the subject from a list of many possible subjects.  E.g., a suspicious fingerprint from a crime scene is sent to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many. 2. Authentication:  The comparison is one to one  E.g., if someone claiming to be Alice uses a thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.

Phases of Biometric System 1. The Enrollment Phase: subjects have their biometric information entered into a database. 2. The Recognition Phase: subjects have their biometric information entered into a database.

Biometric Examples 1. Fingerprints 2. Hand Geometry 3. Iris Scan

Biometric Error Rates For fielded fingerprint biometric systems, the equal error rate is typically about 5% hand geometry has an equal error rate of about 10 −3

3. Something You Have For example,  a network MAC address  an ATM card  a password generator The process of a password generator is shown below:

Two-Factor Authentication Two or three methods can work together for authentication For example: the password generator scheme requires both: 1. “something you have” (the password generator), and 2. “something you know” (the PIN). Requiring two out of the three methods of authentication is known as two-factor authentication.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.