A Practical Comparison of Modern Authentication Mechanisms.

Slides:



Advertisements
Similar presentations
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
March R. Smith - University of St Thomas - Minnesota QMCS Class Today Authentication ReduxAuthentication Redux Some more biometrics slidesSome.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Security Awareness: Applying Practical Security in Your World
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Certificate and Key Storage Tokens and Software
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
CS 736 A methodology for Analyzing the Performance of Authentication Protocol by Laseinde Olaoluwa Peter Department of Computer Science West Virginia.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
Entity Authentication
Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Physical ways of keeping your system secure. Unit 7 – Assignment 2. (Task1) By, Rachel Fiveash.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
1 Lect. 20. Identification. 2  Entity Authentication (Identification) Over the communication network, one party, Alice, shows to another party, Bob,
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
CSCE 201 Identification and Authentication Fall 2015.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.
Information Systems Design and Development Security Precautions Computing Science.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
Authentication, Authorization and Accounting Lesson 2.
Challenge/Response Authentication
Unit 3 Section 6.4: Internet Security
Challenge/Response Authentication
Authentication.
Radius, LDAP, Radius used in Authenticating Users
Install AD Certificate Services
Presentation transcript:

A Practical Comparison of Modern Authentication Mechanisms

Biometrics: Things you are Measure physical trait: finger, hand, eye, face, … From Authentication © Used by permission

Biometric Authentication Biometrics aren’t memorized & can’t be shared Compares user’s signature to previously established pattern built from that trait “Biometric pattern” file instead of password file From Authentication © Used by permission

Some Based on Behavior Measure something the person does, instead of measuring a physical trait Examples: voice, keystrokes, written signature From Authentication © Used by permission

Pattern Matching We compare how closely a signature matches one user’s pattern versus another’s pattern From Authentication © Used by permission

Matching in Practice FRR = doesn’t recognize me; FAR = recognized Bob instead From Authentication © Used by permission

Biometrics in Practice Higher security means more mistakes –When we reduce the FAR, we increase the FRR –More picky about signatures from legitimate users, too

The Biometric Dilemma The biometric pattern acts like a base secret But, biometrics are not secrets Each user leaves artifacts of her voice, fingerprints, and appearance wherever she goes Users can’t change biometrics if someone makes a copy Risks to personal privacy

Biometric Encryption Use “secure” biometric readers Authenticate the readers with base secrets Use cryptography to protect the readings Problem: must administer the readers’ secrets From Authentication © Used by permission

Biometric Enrollment How it works –User provides one or more biometric readings –The system converts each reading into a signature –The system constructs the pattern from those signatures Problems with biometric enrollment –It’s hard to reliably “pre-enroll” users –Users must provide biometric readings interactively Accuracy is time consuming –Take trial readings, build tentative patterns, try them out –Take more readings to refine patterns –Higher accuracy requires more trial readings

Tokens: Something You Have Each carries a large, hard to guess secret Portable, usually tamper resistant Some implemented in software From Authentication © Used by permission

Hardware Tokens Resist copying and other attacks by storing the base secret in a tamper-resistant package. From Authentication © Used by permission

Hardware Restricts Sharing These 3 easily share a password, invited or not… … but only one at a time has the token, even if stolen User ID: croe Password: ?? User ID: croe Password: egg User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: Shared User ID: croe Password: ?? User ID: croe Password: egg User ID: croe Password: ?? User ID: croe Password: User ID: croe Password: egg Stolen Sniffed User ID: croe Password: User ID: croe Password: egg User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: ?? User ID: croe Password: egg User ID: croe Password: egg

Public Keys vs. Secret Keys Two different technologies for tokens Secret Keys –Produce single use (“one time”) passwords –Use Centralized Authentication Servers Public Key Pairs –Use challenge response protocols –Use Certificates and “Public Key Infrastructure” (PKI)

Secret Key Authentication SofToken SofToken

WebEnrollmentWebEnrollment AccessPolicyAccessPolicy AAAAAA PKIPKI AuthenticationBrokerAuthenticationBroker LDAP Central Authentication Server Web Agent Web Servers RADIUSRADIUS VPN Gateways AuthenticationServer Customers WEB VPN PartnersAgentAgent Citrix Servers Employees Citrix Sales Staff RADIUSRADIUS RAS Servers Dialup AgentsAgents UNIX & Windows IT Staff System login SafeWord PremierAccess™

One-Time Password Tokens Attacker can’t reuse the sniffed password From Authentication © Used by permission

SafeWord Server User ’s Token Token’s Secret Key Sequence One-Time Password Token’s Secret Key Sequence Expected Password(s) DES ? One-time Passwords

MobilePass™ Authentication 1.Dial the authentication server with your cell phone 2.Server sends you a text message with the one time password 3.Type the one time password into the password prompt 4.Authentication server compares the password you typed with the password it sent to your phone from Secure Computing

Tokens Resist Attacks

Public Key Authentication Key File USB Device Biometric Smart Cards

Public Key Authentication Bob’s Private Key Key: 3, Bob sends his public key to Server 3,5555 = 2. Server sends a random challenge {Random} Match! = Public Key Encrypt 3. Bob encrypts challenge with his private key Public Key Decrypt 4. Server decrypts challenge with Bob’s public key Bob’s Public Key Certificate

Public Key Tokens Smart cards, USB “Key” format, and PC cards Safest ones never disclose the private key –Generate the public key pair on the card –Provide services, but never exports the key From Authentication © Used by permission

Public Keys in Practice Available with Kerberos/Windows 2000 –Challenge response function logs you in to the domain Widely used to authentication E-commerce hosts on the World Wide Web –Far more common than user authentication –Invisible to end users (did you know it was happening?) Enrollment Process 1.Generate a public/private key pair; protect your private key 2.Give the public key and your name to Certificate Authority 3.Certificate Authority issues you a Certificate 4.Share your Certificate with those who must authenticate you

Certificates in E-Commerce Certificates associate a name and a key –Certificate integrity assured by a “digital signature” –Signature affixed by the “Certificate Authority” (CA) Customers use CA’s Public Key –Check certificate signature with CA’s public key –You must have the CA key to verify the certificate! From Authentication © Used by permission

Public Keys Resist Attacks

Public Key is Better… Does not need a central authentication server –Eliminate need to protect a centralized list of secret keys –Eliminate need for real time communication to server –You only need a set of CA keys to authenticate people & sites Risk of subversion is distributed to individual machines performing authentication Easy to authenticate new users –Each new user simply acquires and provides a certificate Safer to distribute across multiple enterprises Higher resistance to trial-and-error attacks

Or is Secret Key Better… Simpler underlying technology –Can be deployed off-the-shelf –Does not require a complex “infrastructure” –Redundant central servers can provide reliability and availability One time passwords fit existing password prompts Works with existing software base –RADIUS compatibility, older Microsoft Windows integration Easy to revoke access –You just update the user’s entry on the central server –It’s very difficult to revoke public keys – once a certificate is distributed, there’s no reliable way to track down all copies of it and delete them.

“Software” Tokens Guess resistance of tokens at a lower cost Secret Key Examples –Token vendors build “soft tokens” –SafeWord™, e.id™, SecurID™ Public Key Examples –Keyfiles on Lotus Notes, Web browsers Does not prevent delegation Can not detect sniffing, copying

Multi-Factor Authentication We cover the weaknesses of individual techniques (tokens, passwords, biometrics) by combining two or more in one mechanism Two Factor Authentication –ATM Cards - card plus PIN –One-time password token with a keypad - token plus PIN –Biometric reading protected with a secret encryption key Three Factor Authentication –Token + memorized PIN + biometric reading –More Expensive = Rarely used

Multi-Factor Token Fingerprint “unlocks” the authentication token From Authentication © Used by permission

Authentication Strengths

Summary Passwords are still the cheapest and most common –Can not protect valuable assets - too easy to attack –Risky on the Internet unless you use encryption, too Biometrics have limited use on networks –Too easy to intercept and replay –Must be used in conjunction with cryptography Tokens give strongest protection –Embedded cryptographic secrets can be hard to attack –Hardware tokens prevent sharing and delegation –Protect against theft with added factor: a PIN or a biometric

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.