Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Sanjay Goel University at Albany, School of Business NYS Center for Information Forensics and Assurance 1 Password Protection.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Sanjay Goel & Damira Pon University at Albany, School of Business/ NYS Center for Information Forensics and Assurance 1 Password Authentication & Protection.
Security-Authentication
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Authentication Approaches over Internet Jia Li
Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
CIS 450 – Network Security Chapter 8 – Password Security.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Lecture 11: Strong Passwords
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 5 User Authentication modified from slides of Lawrie Brown.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Security in Computing Protection in General-Purpose Operating Systems.
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Authentication What you know? What you have? What you are?
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Networking Network Classification, by there: 3 Security And Communications software.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
CIS 450 – Network Security Chapter 10 – UNIX Password Crackers.
Chapter 3 User Authentication 1. RFC 4949 RFC 4949 defines user authentication as: “The process of verifying an identity claimed by or for a system entity.”
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Information Systems Design and Development Security Precautions Computing Science.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Outline The basic authentication problem
Password Cracking Lesson 10.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Presentation transcript:

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Risks, Part II  Module 1: Password Security Module 2: Wireless Security Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary

Module 1 Password Security

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: – Understand how passwords are stored –Identify mechanisms for improving password security –Determine how passwords can be protected Password Security Learning Objectives

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 4 How do you prove to someone that you are who you claim to be? –Any system with access control must solve this problem Passwords Basic Problem What you know –Passwords –Secret key Where you are –IP address What you are –Biometrics What you have –Secure tokens

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 5 User has a secret password. System checks it to authenticate the user. –Vulnerable to eavesdropping when password is communicated from user to system How is the password stored? How does the system check the password? How easy is it to guess the password? –Easy-to-remember passwords tend to be easy to guess –Password file is difficult to keep secret Passwords Authentication

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Passwords Windows Passwords Set or change password  Windows generates a LM hash and a NT hash. Two hashing functions used to encrypt passwords – LAN Manager hash (LM hash) – Password is padded with zeros until there are 14 characters. – It is then converted to uppercase and split into two 7-character pieces – Each half is encrypted using an 8-byte DES (data encryption standard) key – Result is combined into a 16-byte, one way hash value – NT hash (NT hash) – Converts password to Unicode and uses MD4 hash algorithm to obtain a 16- byte value Hashes are stored in the Security Accounts Manager database –Commonly known as “ SAM” or “the SAM file” SAM is locked by system kernel when system is running. –File location: C:\WINNT\SYSTEM32\CONFIG SYSKEY

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Uses modified DES as if it were a hash function –Encrypt NULL string using password as the key –Truncates passwords to 8 characters! –Artificial slowdown: run DES 25 times –Can instruct modern UNIXes to use MD5 hash function Passwords Unix Passwords Problem: passwords are not truly random –With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948  6 quadrillion possible 8-character passwords –Humans like to use dictionary words, human and pet names  1 million common passwords –On average each person has 8-12 passwords: –Different systems impose different requirements on passwords. –Passwords need to be changed often. –Some passwords are used occasionally (once a year).

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Password Impact on Security What we found on Al Qaeda computers were two things: – Simple hacking tools are available to anyone who looks for them on the Internet. – Tools such as LOphtCrack allow admittance into almost anyone's account if a simple eight-digit password is used. People are frightened when they learn that using only an eight-digit password with standard numbers and letters will allow anyone to figure out their passwords in less than two minutes when one downloads a publicly available tool like LOphtCrack from the Internet. This was the kind of tool which we found, nothing terribly sophisticated. Richard Clark, Presidents Advisor on Cyber Security ( )

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Passwords Methods of Attack Dictionary Attack – Quick technique that tries every word in a specific dictionary Hybrid Attack – Adds numbers or symbols to the end of a word Brute Force Attack –Tries all combinations of letters, numbers & symbols Popular programs for Windows password cracking – LC4 – Sam Inside – Crack – John the Ripper (JTR)

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Password file /etc/passwd is world- readable –Contains user IDs and group IDs used by many system programs Dictionary attack is possible because many passwords come from a small dictionary –Attacker can compute H(word) for every word in the dictionary and see if the result is in the password file –With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average –This is very conservative. Offline attack is much faster! Passwords Dictionary Attack

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Instead of user password, store hash of password When user enters password, compute its hash and compare with entry in password file –System does not store actual passwords! Hash function H must have some properties –One-way: given H(p), hard to find p –No known algorithm better than trial and error –Collision-resistant: given H(p1), hard to find p2 such that H(p1)=H(p2) Passwords Hashing

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Salting requires adding a random piece of data and to the password before hashing it. –This means that the same string will hash to different values at different times –Users with the same password have different entries in the password file –Salt is stored with the data that is encrypted Hacker has to get the salt add it to each possible word and then rehash the data prior to comparing with the stored password. Passwords Salting

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries –Same hash function on all UNIX machines –Identical passwords hash to identical values; one table of hash values can be used for all password files Passwords Salting Cont’d. With salt, attacker must compute hashes of all dictionary words once for each password entry –With 12-bit random salt, same password can hash to 212 different hash values –Attacker must try all dictionary words for each salt value in the password file

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 14 The same password can be rehashed many times over to make it more difficult for the hacker to crack the password. This means that the precompiled dictionary hashes are not useful since the iteration count is different for different systems –Dictionary attack is still possible! Passwords Iteration Count

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Utilized in UNIX systems Store hashed passwords in /etc/shadow file which is only readable by system administrator (root) Add expiration dates for passwords Early shadow implementations on Linux called the login program which had a buffer overflow! Passwords Shadow

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Set of rules that governs the communication of data related to authentication between the server and the user TRANSFORMED PASSWORD –Password transformed using one way function before transmission –Prevents eavesdropping but not replay CHALLENGE-RESPONSE –Server sends a random value (challenge) to the client along with the authentication request. This must be included in the response –Protects against replay Passwords Authentication Protocols TIME STAMP –The authentication from the client to server must have time-stamp embedded –Server checks if the time is reasonable –Protects against replay –Depends on synchronization of clocks on computers ONE-TIME PASSWORD –New password obtained by passing user-password through one-way function n times which keeps incrementing –Protects against replay as well as eavesdropping

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 17 User and system share a secret key Challenge: system presents user with some string Response: user computes response based on secret key and challenge Secrecy: difficult to recover key from response –One-way hashing or symmetric encryption work well Freshness: if challenge is fresh and unpredictable, attacker on the network cannot replay an old response –For example, use a fresh random number for each challenge Good for systems with pre-installed secret keys –Car keys; military friend-or-foe identification Passwords Challenge Response

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 18 Add biometrics –For example, keystroke dynamics or voiceprint –Revocation is often a problem with biometrics Graphical passwords –Goal: increase the size of memorable password space Rely on the difficulty of computer vision –Face recognition is easy for humans, hard for machines –Present user with a sequence of faces, he must pick the right face several times in a row to log in Passwords Improving Security Other examples –Click on a series of pictures in order –Drawing a picture –Clicking four correct points on a picture

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 19 Personal Tokens are hardware devices that generate unique strings that are usually used in conjunction with passwords for authentication A variety of different physical forms of tokens exist –e.g. hand-held devices, Smart Cards, PCMCIA cards, USB tokens Different types of tokens exist: –Storage Token: A secret value that is stored on a token and is available after the token has been unlocked using a PIN –Synchronous One-time Password Generator: Generate a new password periodically (e.g. each minute) based on time and a secret code stored in the token –Challenge-response: Token computes a number based on a challenge value sent by the server –Digital Signature Token: Contains the digital signature private key and computes a computes a digital signature on a supplied data value Passwords Personal Token Authentication

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 20 Uses certain biological characteristics for authentication –Biometric reader measures physiological indicia and compares them to specified values –It is not capable of securing information over the network Passwords Biometric Authentication Different techniques exist –Fingerprint Recognition –Voice Recognition –Handwriting Recognition –Face Recognition –Retinal Scan –Hand Geometry Recognition

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 21 Unique patterns in peoples fingerprints are used for unique identification Most tested of all biometric systems Commonly used in crime labs for forensic investigations Passwords Fingerprint Authentication

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 22 The scanning process takes advantage of the natural patterns in people's irises, digitizing them for identification purposes. –Probability of two irises producing exactly the same code: 1 in 10 to the 78th power –Independent variables (degrees of freedom) extracted: 266 –IrisCode record size: 512 bytes –Operating systems compatibility: DOS and Windows (NT/95) –Average identification speed (database of 100,000 IrisCode records): one to two seconds Passwords Iris Authentication

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 23 Passwords Protection/Detection Protection: –Disable storage of LAN Manager hashes. –Configure both Local and Domain Account Policies (Password & Account Lockout Policies). –Audit access to important files. –Implement SYSKEY security on all systems. –Set BIOS to boot first from the hard drive. –Password-protect the BIOS. –Enforce strong passwords! –Change your passwords frequently. –Use two or three factor authentication. –Use one time passwords.

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 24 Passwords are stored in a hashed form to prevent their compromise Password security can be improved by –Salting Several authentication protocols exist for improved security Biometrics can be employed for improved security Password Security Summary