Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.

Slides:

Advertisements

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Lecture 6 User Authentication (cont)

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Access Control Methodologies

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Telnet/SSH: Connecting to Hosts Internet Technology1.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Chapter 10: Authentication Guide to Computer Network Security.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

BUSINESS B1 Information Security.

CIS 450 – Network Security Chapter 8 – Password Security.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.

SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.

CSCE 201 Identification and Authentication Microsoft support Fall 2010.

10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.

Security Mechanisms University of Sunderland CSEM02 Harry R. Erwin, PhD.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.

G53SEC 1 Authentication and Identification Who? What? Where?

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Lecture 5 User Authentication modified from slides of Lawrie Brown.

Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Authentication What you know? What you have? What you are?

An Introduction to E-Commerce Security By Graham Mead.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

CSCE 201 Identification and Authentication Fall 2015.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

7/10/20161 Computer Security Protection in general purpose Operating Systems.

Secure services Unit-IV CHAP-1

Outline The basic authentication problem

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Chapter One: Mastering the Basics of Security

Module 4 Remote Login.

Authentication.

Radius, LDAP, Radius used in Authenticating Users

Setting up an online account

Computer Security Distributed System Security

Module 2 OBJECTIVE 14: Compare various security mechanisms.

Computer Security Authentication

CS703 - Advanced Operating Systems

Computer Security Protection in general purpose Operating Systems

COEN 351 Authentication.

Keeping your passwords safe

Presentation transcript:

Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD

I&A Introduction Purpose: to identify a user to the system To authenticate someone, at least one of the following factors must be supplied: –Something known (user name and password) –Something owned (password token) –Some physical characteristic (fingerprint, retinal scan, voice scan) Authentication is weak if only one is supplied. Two are required for strong authentication.

E-Commerce and Authentication To have the flexibility of money, I&A should not be required until a purchase is made. You can require the user to log into your site, but most authentication schemes are very weak. You will be liable if the user data escapes due to weak authentication. (Risk!) SSL authenticates the web site to the user, not the user to the web site. The user authenticates herself by providing credit card details. Consider paying a third party to handle this.

Passwords Local login –Provide a user ID –Then provide a password Remote logins are similar –telnet, rlogin, rsh, ssh (terminal sessions) –ftp, ncftp, sftp, rcp, scp (file transfer) Avoid telnet, ftp, ncftp, rlogin, rsh, and rcp. They transmit I&A data in the clear.

Implementing Passwords Do not store passwords in the clear. Store the encrypted password and compare to that. Password files should not be accessible to users. Hackers can run ‘crack’ against them in a dictionary attack. Consider running ‘crack’ regularly against your own password file. UNIX provides a ‘salt’ field in the password file unlike Windows. This is concatenated with the password before encryption (using DES), increasing the search space for ‘crack’.

Good Password Policies 6 or more characters Change every days Passwords must be used for at least 2-7 days Previous passwords cannot be reused. Three+ different character types (upper case, lower case, numbers, symbols) Avoid weak passwords (names, addresses, phone numbers, SSNs, common dictionary words or phrases, and simple variations on the above).

An Approach to Choosing Stronger Passwords (Suggested by Qinetiq.) Start with a phrase about a date. Use the initials, lower case and upper case alternating. Insert a special character somewhere. Remember September 11th, 2001! rS1101! My birthday is February 29th! mBiF29!

Tokens Rather than something you know (password), you provide something you own. The usual approach is that you provide an identifier (the first factor), and The system then sends you a challenge that you respond to (the second factor). The response is generated by a device that you keep in your possession.

Biometrics The system identifies you by something you are: –Fingerprint(s) –Retina pattern –Iris pattern –Facial pattern –Voice Demands good and expensive technology.

Handling Special Requirements (Example) FAA system administrators at an enroute control center work as a team, under the supervision of a NAS Operations Manager (NOM). Logging in would disrupt teamwork and delay response to emergencies. Hence I&A is handled procedurally, except at terminals away from the central operations area. In the central operations area, the team logs in using a team ID and password that is only good there. Elsewhere individual ID/PW are required.

FIA—CC User Identification and Authentication Functions FIA_AFL –How do you handle a login failing (possibly repeatedly)? FIA_UID –How does a user identify herself? –What actions may an unidentified user take? FIA_SOS –Do you generate passwords or other secrets for the user? –If not, do you test user-provided passwords or other secrets for strength?

CC User Authentication Functions FIA_UAU –What user actions do you allow before the identified user must authenticate herself? –How many authentication mechanisms are used? –What are the authentication mechanisms? –Under what conditions must the user reauthenticate herself? –How does the system avoid letting the user know why ID and authentication failed?

Miscellaneous CC I&A Functions FIA_ATD –What security attributes are associated with the individual? FIA_USB –Does the system associate user actions with user identity? FTA_TSE –What factors (access port, ID, user location) affect whether a user is allowed to establish a session?

More Miscellaneous CC I&A Functions FTA_TAH –Does the system report an access history to the user at session establishment? FTP_TRP –Is there a trusted path between the user and the system? Can it be enforced? AGD_ADM –Administrator guidance documentation. AGD_USR –User guidance documentation.

Conclusions Strong authentication is desirable. Costs are significant. Not really compatible with e-commerce. Vulnerable to social engineering and the general public availability of private data.