Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Secure Pre-Shared Key Authentication for IKE
Internet Protocol Security (IP Sec)
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 “draft-urien-eap-smartcard-type-00.txt” EAP Smart Card Protocol (EAP-SC)
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Time Passes, Security Changes… Christian Huitema Monday, August 1, 2005 IETF, Application Area Meeting.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
FIT3105 Smart card based authentication and identity management Lecture 4.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
802.1x EAP Authentication Protocols
Protected Extensible Authentication Protocol
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Windows 2003 and 802.1x Secure Wireless Deployments.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Levels of Assurance in Authentication Tim Polk April 24, 2007.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Csci5233 computer security & integrity 1 Cryptography: an overview.
Doc.: IEEE /213r0 Submission March 2002 D Jablon/Phoenix and Alternative Authentication Protocols David Jablon Phoenix Technologies.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Wireless security Wi–Fi (802.11) Security
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
CSCE 201 Identification and Authentication Fall 2015.
KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
1 Authentication Celia Li Computer Science and Engineering York University.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Web Applications Security Cryptography 1
Cryptography: an overview
Security Issues.
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Install AD Certificate Services
COEN 351 Authentication.
Presentation transcript:

Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli

Agenda  Overview  Industry Challenges  SPEKE  Industry implementation  Other lines of research

Overview  Device Security Enterprises and Service Providers cannot achieve sufficient levels of end point security  Network Security Absence of device identity magnifies network vulnerability  Content Security Constantly increasing number of identity theft is done through “phishing” and “pharming” attacks

Industry Challenges  People use passwords in all security protocols  Most password-based protocols have been susceptible to hacks  Protocols like 802.1x EAP, IPSEC v2, Radius are looking at stronger authentication mechanisms  Industry requires a more secure and cost effective password mechanism  Most Enterprises still concerned about wireless data security  Wireless Access for Enterprise Applications is still unsolved task  Phishing Attacks are major concern  Identity Theft

What is SPEKE?  SPEKE: Simple Password-authenticated Exponential Key Exchange  A Zero Knowledge Password Proof (ZKPP) protocol  A simple password at both ends results in mutual authentication and a shared session key No prior secrets or root certificates  Standardized in IEEE 1363: “Password-Based Public-Key Cryptography”

Password Security Issues  Vulnerabilities Unprotected Password Open to dictionary, replay or off-line attack Stored password Crackable Man in the Middle A 3 rd party impersonates the client or server  Countermeasures Forcing frequent changes Requiring mixed characters (uPP3r!) Using “accessories” (such as tokens or SmartCards) Using tunneled methods such as SSL or IPSec with Digital Certificates Counter measures often defeat the goal of convenience or add great expense

SPEKE uses ZKPP  Prove that you know a secret key without revealing what it is Password is not sent over the connection Secret is validated with large, pseudo-random binary number  Protects against known vulnerabilities Can’t be sniffed Not vulnerable to replay Resists to “man in the middle” type attacks  Safer than CHAP, SSL, IPSec/IKE and other methods (even Kerberos) in password-only configuration

Benefits of SPEKE  Solves an existing problem Better authentication and session keys Compliant with emerging WPA, 802.1x EAP standard Prevents dictionary & other network attacks Better server authentication – protects against Phishing attacks  Simplicity for end users A simple password is made strong Don’t need inconvenient countermeasures Strength without infrastructure (no PKI required)  Technical features Advanced cryptography No stored password on client Mutual authentication Integrated key exchange

How SPEKE Protocol Works SPEKE server Output shared key 1 Algorithm will swap public keys of chosen length SPEKE Client Each derives shared password-authenticated key Output shared key Enter password 2 3

3 Server Enter password Password App. server Encrypt session App. client Run ZKPP Scheme Client Shared key... Shared key Enterprise SPEKE-enabled Session

Protection against Phishing Attacks  A rogue web site that does not know the correct password will be immediately detected  If the web site tries to guess an incorrect password and fails, no information is leaked – the rogue web site cannot use this information

SPEKE Industry Implementation  Entrust Entrust True Pass - remotely retrieves user’s private key for web-browser PKI-enabled applications, roaming user application  Funk Software 802.1x EAP-SPEKE – strong password based authentication for RADIUS systems  Interlink Networks 802.1x EAP-SPEKE – strong password based authentication for RADIUS systems  Research In Motion Enterprise Server - provision keys for a generic BlackBerry device (device enrollment)

SPEKE Applications  Provisioning credentials Private key retrieval, “roaming” protocols Secure enrollment Protection against Phishing attacks  Connection authentication 802.1x & IPSEC v2 EAP wireless session establishment 802.1x EAP wired authentication

Secure Protocol is not Enough  Other lines of research from Phoenix Technologies Stronger root of trust at the core – Firmware-level cryptographic engine Protected execution environments (x86 processors) – System Management Mode Caller validation – inability for rogue programs to call the API Secure and trusted pre-OS execution environment Strong pre-boot authentication using biometrics and smart cards/tokens

Phoenix Security Framework Core System Software Power-on Application OS Kernel Application ‘Ring 3’ Application privilege ‘Ring 0’ OS privilege System Management Mode (Highest privilege on the CPU) Security Driver ‘SMM’ CSS privilege Caller Validation Device Key in Secure Silicon

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.