G53SEC 1 Authentication and Identification Who? What? Where?

Slides:



Advertisements
Similar presentations
1 Identification Who are you? How do I know you are who you say you are?
Advertisements

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Biometrics and Authentication Shivani Kirubanandan.
Marjie Rodrigues
Security-Authentication
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.
Access Control Identification and Authentication.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Chapter 4 – Protection in General-Purpose Operating Systems Section 4.5 User Authentication.
G53SEC 1 Authentication and Identification Who? What? Where?
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Security in Computing Protection in General-Purpose Operating Systems.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
Authentication What you know? What you have? What you are?
Biometrics Chuck Cook Matthew Etten Jeremy Vaughn.
INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.
Privilege Management Chapter 22.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
CSCE 201 Identification and Authentication Fall 2015.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.
An Introduction to Biometrics
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
INTRO TO COMPUTER SECURITY LECTURE 4 IDENTIFICATION AND AUTHENTICATION M M Waseem Iqbal
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Challenge/Response Authentication
Identification and Authentication
Challenge/Response Authentication
Authentication.
Authentication and Identification
Faculty of Science IT Department Lecturer: Raz Dara MA.
Computer Security Authentication
Computer Security Protection in general purpose Operating Systems
COEN 351 Authentication.
Presentation transcript:

G53SEC 1 Authentication and Identification Who? What? Where?

G53SEC Overview of Today’s Lecture: Username and Password Managing Passwords Choosing Passwords Spoofing Attacks Protecting the Password File Single Sign-On Alternative Approaches Summary 2

G53SEC Username and Password: Identification – Who you are Authentication – You are who you claim to be Entity Authentication “The process of verifying a claimed identity” TOCTTOU – time of check to time of use 3

G53SEC continued… Repeated authentication – at start as well as during a session First line of defence + Widely accepted + Not too difficult to implement - Managing passwords – expensive - Common way of getting in 4

G53SEC continued… forgotten passwords password guessing password spoofing compromise of the password file Remember User has a vital role in password protection 5

G53SEC Managing Passwords: Password = a secret between user and system Issues Password ends up in right hands? Interception? No password yet? New passwords – delay ok Forgotten passwords – instant remedy necessary 6

G53SEC Choosing Passwords: Critical security issue Keeping probability of guessing to minimum Guessing strategies: Exhaustive search – brute force Intelligent search – e.g. dictionary attack 7

G53SEC continued… Defences: Change default passwords Password length Password format Avoid obvious passwords 8

G53SEC continued… Further security improvements: Password checkers Password generation Password aging Limit login attempts A combination of all those = highest security? 9

G53SEC continued… 10

G53SEC continued… People forget Contact an operator Opens a way for a new attack – Social Engineering Regularly used passwords best remembered Tip - don’t change passwords before the weekend or holidays 11

G53SEC to remember… Don’t look at security mechanisms in isolation Too much emphasis can weaken the system Users will try to circumvent security Trade-off between Complexity and Memory 12

G53SEC Spoofing attacks: Unilateral authentication – one way No guarantee about end system Spoofing attack e.g. Fake login screen Prevention display failed login attempts trusted path (e.g. ctrl+alt+del) mutual authentication 13

G53SEC continued… Password caching password temporarily stored (buffer, cache, web page) beyond control of user sometimes for too long This is another instance of object reuse. 14

G53SEC 15 Protecting the Password File: Password compared to an entry in a password file An attractive target for an attacker Protection Cryptography Access control enforced by the OS Combination of the above + attack delay

G53SEC 16 Cryptography: One-way Function A function that is relatively easy to compute but significantly harder to undo or reverse. x f(x) f(x) x f(x) is stored in the password file f(x) compared to computed f(x’) from x’ supplied by user

G53SEC 17 Access Control: Access Control Restricts access to files and resource to users with appropriate privileges Password file can’t be world readable - Off-line dictionary attacks or writeable - Change password

G53SEC 18 continued… Password salting Password + Additional Info (Salt) - > Encrypt Remember Combination of mechanisms can enhance protection Separate security relevant and openly available data (e.g. /etc/passwd and shadow password files)

G53SEC 19 Single Sign-On: Not convenient to repeatedly authenticate Whether one or multiple passwords Single Sign-On Password entered once. Stored by system and subsequently authenticating on your behalf. Convenient But new problems arise – storage of password

G53SEC 20 Alternative Approaches: Something you know Something you hold Who you are What you do Where you are

G53SEC 21 Something You Know: Knowledge of a “secret” - Password - PIN - Personal Details Anybody who obtains your secret = YOU No trace of passing secret to someone else Can you prove your innocence?

G53SEC 22 Something You Hold: Physical token - A key to a lock - Card (Smart cards, RFID cards) - Identity Tag Can be lost or stolen Again the one in possession becomes you Used in combination with something you know

G53SEC 23 Something You Are: Biometric schemes – unique physical characteristics - Face - Fingerprints - Iris patterns, etc… Accuracy of training and authentication “forged” fingers Mutilations Acceptable by users?

G53SEC 24 Biometrics: 1.Enrolment - Collection and storage of reference templates 2.Identification – Finding a user in a database of templates 3.Verification - Comparison against the reference template of identified user Matching algorithm – calculates similarity between reference template and current reading. If similarity above certain threshold, accept user.

G53SEC 25 Biometrics: False positives – Accepting the wrong user False negatives – Rejecting a legitimate user A balance needs to be found! State-of-the-art fingerprint recognition schemes have error rates of around 1-2%

G53SEC 26 What You Do: Mechanical Tasks – repeatable and specific to individual - Handwritten signatures - Writing speed and pressure - Keyboard typing speed and intervals between keys Again needs to take into account false positives and negatives

G53SEC 27 Where You Are: Location of access - Operator console vs. arbitrary terminal - Office workstation vs. home PC - Geographical location IP address or GPS for locating users Not reliable on its own Should be used in combination with other mechanisms

G53SEC 28 To remember: - A Password does not authenticate a person! - Successful authentication = user knows a particular secret - No way of distinguishing legitimate user and attacker who obtained the user’s credentials

G53SEC 29 Summary: Passwords (creation, management) Attacks on passwords Alternative approaches Next Week Access Control

G53SEC End 30