Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host and Application Security Lesson 8: You are you… mostly.

Published byLaurel Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Host and Application Security Lesson 8: You are you… mostly."— Presentation transcript:

1 Host and Application Security Lesson 8: You are you… mostly

2 OS: If we want access control  We must have…

3 User Authentication  Something the user knows  Something the user has  Something the user is  “Two factor” means just what it says

4 Passwords  The most common access control paradigm  Challenges: Loss Convenience Disclosure Revocation

5 Additional Restrictions  Time limited access  Geospatial limitations – very clever!

6 Attacks on Passwords  Brute force  Common passwords  Likely passwords  Find the encrypted password database  Ask!

7 Exhaustive Attack  Not as hard as one might think…  The search space is actually pretty small  How tractable is this? Very!  GPU Computing makes this very fast

8 Probable Passwords  Lots of similarities in the way people pick passwords  Which is more likely: Flatech or 8*fgHi@d? Time for an xkcd…

9 Thanks, Randall!

10 How the Computer Stores Passwords  Cannot (should not) be stored in the clear  Encrypt them!  Originally, in the /etc/passwd file  Then, moved to /etc/shadow  Typically, we store a hash of the password This introduces a vuln, which is…

11 NaCl  We add a salt to each password, and store it in the clear  This is made from the process ID and the time, stored in the clear  When the password is hashed the salt is added before the hashing

12 Spearphishing  Of course, it’s much easier to just ask the user

13 One Time Passwords  Pretty much a challenge response  The system “asks the user a question”, usually of the form “compute this function”

14 Biometrics  Some type of biological property  Here, though, we have to think about false positive and false negatives…  Identification versus authentication “This is Pinkie Pie” I am Pinkie Pie, and I present this hoof to prove it

15 Challenges  Cost  Privacy issues  Inexact matching  Single point of failure  Token revocation (ouch!!!)

16 The Web  How does authentication work on the web?

17 Assignment  This is deliberately vague…  “Compare Windows and Linux security more broadly. Which is ``more secure`` and why? Justify your position.”

18 Questions?

Download ppt "Host and Application Security Lesson 8: You are you… mostly."

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CSE 461 INTEGRITY CHECKING AND HASHING. JOKE: TELNET.

CSE 461 INTEGRITY CHECKING AND HASHING. JOKE: TELNET.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Introduction to Linux Installing Linux User accounts and management Linux’s file system.

Introduction to Linux Installing Linux User accounts and management Linux’s file system.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.

File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
EMBEDDED SECURITY EEN 417 Fall 2013 9/6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.

EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.

Similar presentations

Ads by Google