IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

Password Cracking Lesson 10. Why crack passwords?
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Sanjay Goel University at Albany, School of Business NYS Center for Information Forensics and Assurance 1 Password Protection.
Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Windows Security Mechanisms Al Bento - University of Baltimore.
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
IS 302: Information Security and Trust Week 9: User Authentication (part II) and Introduction to Internet Security 2012.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
COEN 250 Authentication. Between human and machine Between machine and machine.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
IS 302: Information Security and Trust Week 5: Integrity 2012.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Exercises Information Security Course Eric Laermans – Tom Dhaene.
GPU ASSISTED LM HASH CRACKING WILLIAM GROESBECK UNIVERSITY OF NEVADA, RENO – SPRING 2013 (Psst, the 90’s called - they want their hashing algorithm back)
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.
Based on Bruce Schneier Chapter 8: Key Management Dulal C Kar.
Mitch Parks, GSEC/GCWN ITS Desktop Security Analyst
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Encryption. Introduction The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Chapter 1 – Introduction Part 4 1. Message Authentication Codes Allows for Alice and Bob to have data integrity, if they share a secret key. Given a message.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Authentication What you know? What you have? What you are?
Ethical Hacking: Defeating Logon Passwords. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.
Private key
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
Managing Users CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Outline The basic authentication problem
Password Cracking Lesson 10.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Presentation transcript:

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012

© Yingjiu Li Who are you really? Impersonation in cyber-world How does Bob prove he is Bob? Bob Alice Mallory Alice, I’m Bob Who are you?

© Yingjiu Li Asymmetric solution with certificate Bob: Hi, Alice, I am Bob. Here is my signature and certificate. Alice: Ok, let me verify your signature and certificate… Bob Alice Mallory Alice, I’m Bob. Here are my sig and cert

© Yingjiu Li Symmetric solution with shared secret Bob: Hi, Alice, I am Bob. I know our shared secret S –Weak authentication: reveal S itself –Strong authentication: Bob does not reveal S itself Bob Alice Mallory Alice, I’m Bob. I know our secret S

© Yingjiu Li What is shared secret? What Bob knows –Password, PIN, mother’s maiden name… What Bob possesses –Physical key, token, smart card, passport… Who Bob is –Fingerprint, retina, voice, face, signature dynamics, DNA…

© Yingjiu Li Password based authentications The most popular user authentication technique –Weak authentication based on password  this week –Strong authentication based on password  week 9 Bob Alice Alice, I’m Bob, and I know my pw

© Yingjiu Li Weak authentication based on password It is subject to eavesdropping attack when a Bob sends pwd across network to a remote server It can be used when Bob logins into a local computer Bob Alice Bob id, Bob password

© Yingjiu Li Store pwd directly Non-cryptographic technique –Alice: stores “Bob id – Bob password” in a password file –Alice: authenticates Bob by comparing received password to the password stored in password file Bob Alice Bob id – Bob password..... Bob id, Bob password Password file

© Yingjiu Li Store hashed or encrypted pwd “hashed or encrypted” password file –Alice: stores hash or cipher of Bob’s password –Alice: authenticates Bob by hashing (or encrypting) received password and comparing it to the corresponding entry in password file. Bob Alice Bob id – h(Bob password ) Bob id, Bob password

© Yingjiu Li Example I: Unix pwd Unix pwd –DES is repeatedly used 25 times to encrypt 64 bit zeros –Encryption key: user password –How many possible pwds? Bob Alice Bob id, DES25 (Bob pwd, zeros )... Bob id, Bob password

© Yingjiu Li Example II: Windows LM Hash LAN Manager (LM) –Advanced network OS (MS and 3Com) LM hash –Windows 9X  Windows Me: store pwd in LM hash –Windows 2000, NT, and XP: also store LM hash by default for backwards compatibility (can be disabled) –Windows Vista onwards: eliminates LM hash  store NT(LM) hash only

© Yingjiu Li LM Hash Security of LM hash –Passwords >7 chars  two 7-char halves are hashed independently –Upper case only (26+10 for alphabets and numbers) 36^7=2^36 for each half, 2^37 possible pwds –Modern desktop can brute-force any LM hash (14-char pw) in a few hours. User pwd  uppercase Null-padded or truncated to 14 bytes  7+7 bytes 1st 7 bytes  DES key1; 2nd 7 bytes  DES key 2 Each DES key enc. string  8+8 bytes 32 hexes=128 bits

© Yingjiu Li NT(LM) Hash MD4 hash value of password –16 bytes=128 bits (the same length as LM hash) Security of NTLM hash –not half-half, not upper case only (52+10 for alphabets and numbers) –62^14 =2^84 possible pwds –(compare to 2^37 pwds in LM and 2^56 pwds in UNIX)

© Yingjiu Li SAM File Where does windows store LM hash and/or NTLM hash? –C:\Windows\System32\config\SAM –Can you read/copy it? –How to get access to it? –Password cracking test/lab in week 11

© Yingjiu Li Password Attacks Brute force attack Dictionary attack

© Yingjiu Li Brute Force Attack Mallory –Get access to a hashed/encrypted password file –Hash/encrypt every possible password and compare it to password file How to thwart brute force attack?

© Yingjiu Li Dictionary Attack Mallory –Create a dictionary of commonly used passwords –Pre-compute a password file for pwd dictionary –Look for a match between pre-computed password file and real password file How to thwart dictionary attack?

© Yingjiu Li Choose strong pwd –DO NOT use anyone’s name as your password. –DO NOT use words in common dictionary as your password. –DO NOT use birth date as your password. –DO use a combination of alphabets, digits and special characters.

© Yingjiu Li Choose long pwd Using pass-phrase –Easy to remember –Longer, thus harder to crack Examples –Redskin is My SMU (to login at SMU) –Redskin is My gmail (to login at gmail)

© Yingjiu Li Change pwd frequently? Arguable

© Yingjiu Li Review 1.How long is unix password when stored 1.12 bits 2.56 bits 3.64 bits 2.How long is LM hash or NT hash 1.14 letters 2.64 bits bits 3.To thwart brute-force attack, we need to choose 1.Strong passwords 2.Long enough passwords 3.Strong authentication of passwords

© Yingjiu Li Notice Project draft (hard copy) due during week 9 class –It will not be graded

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.