CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

Slides:

Advertisements

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Lecture 5: Cryptographic Hashes

Password Cracking Lesson 10. Why crack passwords?

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Chapter User authorization & safety Maciej Mensfeld Presented by: Maciej Mensfeld User authorization & safety dev.mensfeld.pl.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Password CrackingSECURITY INNOVATION © Sidebar – Password Cracking We have discussed authentication mechanisms including authenticators. We also.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Linux Security.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Windows Security Mechanisms Al Bento - University of Baltimore.

Authentication Approaches over Internet Jia Li

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

CIS 450 – Network Security Chapter 8 – Password Security.

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

10/8/20151 Computer Security Authentication. 10/8/20152 Entity Authentication Entity Authentication is the process of verifying a claimed identity It.

Lecture 11: Strong Passwords

David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.

Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

6fb52297e004844aa81be d50cc3545bc Hashing!. Hashing  Group Activity 1:  Take the message you were given, and create your own version of hashing.  You.

Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.

Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.

How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

Lecture 2: Introduction to Cryptography

Protecting Your Password

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Lecture 5 User Authentication modified from slides of Lawrie Brown.

Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.

Password cracking Patrick Sparrow, Matt Prestifillipo, Bill Kazmierski.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authorization. Review Authentication: proving the identity of someone Passwords Smart Cards DNA, fingerprint, retina, etc. Authorization:

Password. On a Unix system without Shadow Suite, user information including passwords is stored in the /etc/passwd file. Each line in /etc/passwd is a.

Ethical Hacking: Defeating Logon Passwords. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

MD5 & Hash Encryption By Alex Buzak. Overview Purpose of MD5 and Hash Encryptions Examples MD5 Algorithm Explanation of Possible Security Risks Practical.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

CSCE 201 Identification and Authentication Fall 2015.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.

Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.

7/10/20161 Computer Security Protection in general purpose Operating Systems.

Password Cracking Lesson 10.

IIT Indore © Neminah Hubballi

PHP: Security issues FdSc Module 109 Server side scripting and

Lesson 16-Windows NT Security Issues

Kiran Subramanyam Password Cracking 1.

Exercise: Hashing, Password security, And File Integrity

Computer Security Authentication

Computer Security Protection in general purpose Operating Systems

Presentation transcript:

CSCI 530 Lab Passwords

Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection

Authentication Authentication is verifying the identity of a particular person Example: Logging into a system. You enter your username and password. It’s an authentication system. Different from Authorization Authorization states what he/she can do on a system Example: Administrators can install programs, while guests cannot.

Authentication How do we authenticate: Something they know Password Something they are Retina Fingerprint DNA Something they own Smart Card Somewhere they are Login only works at certain terminals

How much authentication is needed? We can use either one or a combination of all the above Client systems Normally just a login Military top secret security base Name Badge Passcode Credit card purchases Driver’s license  Name  Picture

How can authentication be broken? For security purposes, we need to know how authentication can be broken so we know how to prevent against it Passwords Can be Guessed Can be Cracked Smartcards Can be copied or stolen Fingerprints Can be copied by using scotch tape

Passwords A secret code for verifying the identity of a person logging into a system They are not stored as plaintext on a system This would be a very bad thing!!! Passwords are stored as hashes based on the type of system Windows: LM Hash, NTLM Unix/Linux: DES, MD5

Hashing Process of processing data through a mathematical formula, and producing a new set of data (called the hash). Process is one-way (you cannot get the original data from the hash. There should be few collisions (two sets of data producing the same hash). Ideally there should be no collisions. Examples: MD5, SHA-1, LM Hash

Windows Hashing Uses an algorithm called Lan Manager Hash (LM Hash) Less than 15 characters long Supported in all versions of Windows up to Windows ME. Supported in Windows 2000, XP, and 2003 for “backwards compatibility”  It can be turned off, but it’s on by default!!!!!!!!!!!!!!!!

LM Hash process If the password is longer than 14 characters, the rest are cut off All lower case characters are converted to upper case Password is split to form two 7-character strings Strings are used as keys for a cryptographic algorithm called Data Encryption Standard (DES) – Programs are able to break DES in less than 24 hours 2002 – DES has been abandoned for Advanced Encryption Standard (AES) Both strings are put back together and form the stored password This process is repeated when the user enters in his password for the first time (for storing), and every time he uses the system

Linux Passwords MD5 passwords Take the entire password string, send it through the MD5 algorithm, and store that as the password in the /etc/shadow file When the user logs in, the password entered is sent through the MD5 algorithm, and if the strings are the same, then the user is authenticated

Password Breaking Dictionary attack List of dictionary words that are tried one after another Very quick If the password is not an exact match to a word on the list, then it will fail Hybrid attack Uses a dictionary list but can detect slight variations to words, or combinations of words. Example: if the word hello is in the database, but the password is Hello, a dictionary attack will not break the password, but a Hybrid attack will Generally finds many more words than a Dictionary attack Not as quick as Dictionary attack

Password Breaking Bruteforce attack Will try every character combination until it finds the password EXTREMELY SLOW Will always find the password These techniques can either be used against a system or a file containing the passwords

Rainbow Tables Philippe Oechslin Uses a reduce function to attempt to map a hash to a password Uses chains to determine the exact password For a good primer on Rainbow Tables, see: Pros Can break any password in a matter of minutes Cons Must have specific Rainbow Table for a particular hashing function Can be defeated using Salts

Detecting someone trying to break into a system Auto-logout If the user enters the wrong password n times, disable their account for a certain period of time Protect your password list on your system Make sure the administrator has access and no one else, so a normal user cannot copy it onto another system

This week’s lab We’re going to use ophcrack, which is an implementation of Rainbow Tables You’re going to set up user accounts on a Windows 2000 system, and are going to practice using Rainbow Tables to break them REMEMBER: Wednesday we are having a guest speaker