CSCE 201 Identification and Authentication Microsoft support Fall 2010

CSCE Farkas2 One-time Password Use the password exactly once!

CSCE Farkas3 Time Synchronized There is a hand-held authenticator – It contains an internal clock, a secret key, and a display – Display outputs a function of the current time and the key – It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function and its clock to calculate the expected output Login is valid if the values match

CSCE Farkas4 Time Synchronized Secret key Time One Time Password Encryption

CSCE Farkas5 Challenge Response Work station Host Network Non-repeating challenges from the host is used The device requires a keypad User ID Challenge Response

CSCE Farkas6 Challenge Response Secret key Challenge One Time Password Encryption

CSCE Farkas7 Devices with Personal Identification Number (PIN) Devices are subject to theft, some devices require PIN (something the user knows) PIN is used by the device to authenticate the user Problems with challenge/response schemes – Key database is extremely sensitive – This can be avoided if public key algorithms are used

CSCE Farkas8 Smart Cards Portable devices with a CPU, I/O ports, and some nonvolatile memory Can carry out computation required by public key algorithms and transmit directly to the host Some use biometrics data about the user instead of the PIN

CSCE Farkas9 Biometrics Fingerprint Retina scan Voice pattern Signature Typing style

CSCE Farkas10 Problems with Biometrics Expensive – Retina scan (min. cost) about $ 2,200 – Voice (min. cost) about $ 1,500 – Signature (min. cost) about $ 1,000 False readings – Retina scan 1/10,000,000+ – Signature 1/50 – Fingerprint 1/500 Can’t be modified when compromised

CSCE Farkas11 Home Computer Security

CSCE Farkas12 Required reading: Forgotten your Windows XP Home password? - Part 1: Introduction, Forgotten your Windows XP Home password? - Part 2: Using a password reset disk, ushttp://support.microsoft.com/kb/894901/en- us Forgotten your Windows XP Home password? - Part 3: Setting a new password as an administrator,

CSCE Farkas13 Problem: You don’t remember your password Solutions: 1. Verify that you have typed the letters of your password in the correct case 2. Access a password hint on the Welcome screen 3. Use a password reset disk 4. Log on as administrator to assign a new password to your account

CSCE Farkas14 Password Case Sensitivity Check CAPS LOCK key Question: Why do you want to use combination of symbols for your password?

CSCE Farkas15 Use a Password Hint Create a password hint: – Log on to your computer – Click Start, and then click Control Panel – Double-click User Accounts – Click your user account, and then click Change my password – Enter your current password, enter a new password, and then enter the new password again to confirm it – Enter the password hint, and then click Change Password – The change will take effect the next time that you log on To display the hint, click the question mark (?) that is next to your user account

CSCE Farkas16 Create a Password Reset Disk Click Start, and then click Control Panel Double-click User Accounts Click your user account, and then click Prevent a forgotten password. The Forgotten Password Wizard starts Follow the instructions NOTE: A password reset disk is valid until you create a new one; even if you change your password

CSCE Farkas17 Using the Password Reset Disk Create a password reset disk for your user account at the earliest opportunity How to use the password reset disk – Microsoft Windows remembers if you have created a password reset disk. Just click use your password reset disk – Follow the instructions of the Password Reset Wizard Question: Why should you safeguard your password reset disk?

CSCE Farkas18 Set a New Password as an Administrator Start the computer in Safe Mode Log on as administrator – first time login as administrator: no password assigned to the account Reset the password

CSCE Farkas19 Reset the Password Click Start, click Control Panel, and then double-click User Accounts Click your user account, and then click Change the password Enter a new password, enter it again to confirm the password, and then set a password hint. Click Change Password Set a password for the administrator account if you had none Question: Why is it recommended that you assign a password to the Administrator account?

CSCE Farkas20 Beware of Social Engineering! Kevin Mitnick story T. Espiner: Newsmaker: Kevin Mitnick, the great pretender, CNET News, 2006, pretender/ _ html pretender/ _ html T. Shimomura and J. Markoff, Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It, 1996, Computer-Outlaw/dp/ Computer-Outlaw/dp/ Question: Would you hire a reformed hacker to maintain your security?

Next Class Access Control An Introduction to Computer Security: The NIST Handbook, : Chapter 17, LOGICAL ACCESS CONTROL, pages Microsoft support, Use access control to restrict who can use your files, 2001, 2005, Sudhakar Govindavajhala and Andrew W. Appel, Windows Access Control Demystied, 2006,