Humanity versus Entropy: Problems with Keeping a Secret Eamon Johnson CWRU Math 408, Spring 2012 Project Presentation.

Slides:



Advertisements
Similar presentations
CS5038 The Electronic Society
Advertisements

1 Design of Key-Sharing System Based on a Unique Device Kenji Imamoto (Kyushu Univ.) Hiromi Fukaya (Pastel) Kouichi Sakurai (Kyushu Univ.)
An Analysis of the Alternatives to Traditional Static Alphanumeric Passwords Mahmoud Abaza and Brent Hunter School of Computing and Information Systems,
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Introduction CSCI 444/544 Operating Systems Fall 2008.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
3d ..
3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
An Enhanced Two-factor User Authentication Scheme in Wireless Sensor Networks DAOJING HE, YI GAO, SAMMY CHAN, CHUN CHEN, JIAJUN BU Ad Hoc & Sensor Wireless.
RIVERA SÁNCHEZ-1 CSE 5810 User Authentication in Mobile Healthcare Applications Yaira K. Rivera Sánchez Computer Science & Engineering Department University.
External Drives An external flash drive, also known as a thumb drive, is a removable storage device that connects to a USB port. A flash drive uses the.
Database  A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model.
GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.
CS 736 A methodology for Analyzing the Performance of Authentication Protocol by Laseinde Olaoluwa Peter Department of Computer Science West Virginia.
Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Information Systems Security
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
Password authentication Basic idea –User has a secret password –System checks password to authenticate user Issues –How is password stored? –How does system.
G53SEC 1 Authentication and Identification Who? What? Where?
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
Privacy, Confidentiality, and Security Component 2/Unit 8c.
Security Protection on Trust Delegated Medical Data in Public Mobile Networks Dasun Weerasinghe, Muttukrishnan Rajarajan and Veselin Rakocevic Mobile Networks.
By Dinesh Bajracharya Nepal Components of Information system.
Keystroke Authentication It’s All in How You Type John C. Checco BiometriTech 2003 bioChec™
Component 9 – Networking and Health Information Exchange Unit 9-2 Privacy, Confidentiality, and Security Issues and Standards This material was developed.
Jawaharlal Nehru National College of Engineering, Shimoga – Department of Computer Science & Engineering Technical Seminar on, Under the guidance.
A Practical Comparison of Modern Authentication Mechanisms.
G53SEC 1 Authentication and Identification Who? What? Where?
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
ICC Module 3 Lesson 5 – IT Security 1 / 4 © 2015 Ph. Janson Information, Computing & Communication Security – Clip 0 – Introduction School of Computer.
Presented by Sharan Dhanala
@ BCHS. The School Policy is your guide to ensuring you and your students are safe. It is your responsibility to make yourself aware and familiar with.
Chapter 8 System Management Semester 2. Objectives  Evaluating an operating system  Cooperation among components  The role of memory, processor,
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
Chris Calderon – February 2016 MIS 534 Information Security Management.
Lecture 8 Page 1 CS 236 Online Prolog to Lecture 8 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 Authentication Technologies Authentication Mechanisms –Something you know –Something you have –Something you are Features –Authenticator & Base secret.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
An Introduction to Biometrics
3D Password.
UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.
Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
Towards Another Step from 3D Password to 4D Password:
Goodbye to Passwords.
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Strong Password Authentication Protocols
Chapter 3: Protecting Your Data and Privacy
Faculty of Science IT Department Lecturer: Raz Dara MA.
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Copyright Gupta Consulting, LLC.
Password Awareness.
Presentation transcript:

Humanity versus Entropy: Problems with Keeping a Secret Eamon Johnson CWRU Math 408, Spring 2012 Project Presentation

Problem Statement Password: a secret used for authentication An ideal secret has a few qualities: – Hard to guess (high entropy) – Easy to remember – Easy to communicate – Easy to change Question: can entropy be increased without increasing difficulty of remembering, communicating, and changing the secret? 2

Background Real-time password complexity feedback increases entropy while making passwords harder to remember Other sources of personal entropy: – Things you know – Things you have – Things you are 3

Problems with Keeping a Secret Two underlying problems affect all practical sources of entropy: Limited Entropy – Misestimated entropy – Unchangeable secrets Single Point of Failure 4

Sources of Limited Entropy Imagination and Memory Personal Information – Personal Knowledge Questions – Shared History Biometrics – Information security versus authentication accuracy – Physical properties and behavioral properties 5

Delegation to a Single Point of Failure Secret Algorithms – Violations of Kerckhoffs's principle Off-line / Out-of-band Storage – Paper in your wallet External Technology – Physical Devices: Fobs, tokens, cards – Networked Services: single sign-on, OpenID 6

Combining Sources of Entropy All practical sources of entropy have well- known weaknesses, so they are often used in combination: multi-factor authentication Combination of schemes incurs a cost – Technology cost – Communication difficulty Question: how valuable is the secret? 7

Quantifying the Value of a Secret A secret has value by proxy when it is used to protect assets of value What is an asset worth? – Cost to return to a pre-compromise state – Time to return to a pre-compromise state – Asset value may fluctuate over time A secret-keeping mechanism has costs: – One time – Recurring 8

Proposal: Tiered Security 9

Example: Tiered Security 10 TierAsset ClassAsset ExamplePolicy 1Private informationMedical records, financial records Password in wallet, never cached 2Semi-private information access, Facebook access Password in wallet or device cache 3Useless / incorruptible information Rewards card login (only used to add points) Reused password Example tiers for personal information assets

Conclusion All practical sources of entropy are flawed: – Limited Entropy – Single Point of Failure Entropy must be bought Assuming acceptable risk is constant, the cost of applying the right security is the only manageable component 11

12 R. Munroe 2011,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.