Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access.

Published byBlaise Thomas Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access."— Presentation transcript:

1

2 Chapter Six: Authentication 2013 Term 2

3 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access is allowed  Authenticate human to machine  Or authenticate machine to machine Authorization: Are you allowed to do that?  Once you have access, what can you do?  Enforces limits on actions Note: “access control” often used as synonym for authorization

4 Authentication Methods The human can be authenticated to a machine based on any combination of the following:  Something you know e.g. Password  Something you are e.g. Fingerprint  Something you have e.g. ATM card

5 1. Something You Know - Passwords Password is:  something that you know  something that computer can verify that you know  something nobody else can guess-even access to unlimited computing resources. Examples  PIN  Social security number  Date of birth  Name of your pet, etc

6 Why Passwords? Why is “something you know” more popular than “something you have” and “something you are”? Cost: passwords are free Convenience: easier for SA to reset pwd than to issue user a new thumb

7 Keys Versus Passwords If a password is 8 characters long (8 bytes) with 256 possible choices for each character  256 8 possible passwords.  E.g. password If a key with 64-bit (8 bytes) cryptographic key  2 64 possible keys. (Trudy must try 2 63 keys before she expects to find the correct one)  E.g. Kf&Yw!a[ Although 2 64 = 256 8 (8 bytes), and this appears to be equivalent, users don’t select passwords at random because users must remember their passwords.

8 Choosing Passwords Some passwords better than others. For example the following passwords are weak:  Frank (your name)  10251960 (your birthday) Users should have passwords that are difficult to guess:  jFiEk(43j-EmmL+y  BedL1ON

9 Attacking Systems via Passwords A common attack path for Trudy would be: outsider normal user administrator One weak password on a system –or one week password on an entire network- could be enough for the first stage of the attack to succeed.

10 Part 2  Access Control 9 Attacks on Passwords Attacker could…  Target one particular account  Target any account on system  Target any account on any system  Attempt denial of service (DoS) attack Common attack path  Outsider  normal user  administrator  May only require one weak password!

11 Part 2  Access Control 10 Password Retry Suppose system locks after 3 bad passwords. How long should it lock?  5 seconds  5 minutes  Until SA restores service

12 Part 2  Access Control 11 Password File? Bad idea to store passwords in a file But need a way to verify passwords Cryptographic solution: hash the pwd  Store y = h(password)  Can verify entered password by hashing  If Trudy obtains “password file”, she does not obtain passwords But Trudy can try a forward search  Guess x and check whether y = h(x)

13 Part 2  Access Control 12 Dictionary Attack Trudy pre-computes h(x) for all x in a dictionary of common passwords Suppose Trudy gets access to password file containing hashed passwords  She only needs to compare hashes to her pre- computed dictionary  After one-time work, attack is trivial Can we prevent this attack? Or at least make attacker’s job more difficult?

14 Part 2  Access Control 13 Salt Hash password with salt Choose random salt s and compute y = h(password, s) and store (s,y) in the password file Note: The salt s is not secret Easy to verify salted password But Trudy must re-compute dictionary hashes for each user  Lots more work for Trudy!

15 Math of Password Cracking Supposed that:  All passwords are eight characters in length  there are 2 64 choices for each character resulting in  256 8 = 2 64 possible passwords Number of possible choices in each cell (byte/bit/…) Number of cells (byte/bit/…) 2 64 2 64

16 Other Password Issues/Problems Remembering different passwords is difficult “Social engineering” is when someone claiming to be a system administrator and needs your password Password cracking tools, such as:  L0phtCrack (for Windows) - now called LC5: used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute- force, and hybrid attacks.  John the Ripper (for Unix) run against various encrypted password formats including DES, MD5, Blowfish, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash

17 2. Something You Are- Biometrics Biometrics are the “something you are” method of authentication or, in Schneider's immortal words, “you are your key”  Examples o Fingerprint o Handwritten signature o Facial recognition o Speech recognition o Gait (walking) recognition o “Digital doggie” (odor recognition) o Many more!

18 Why Biometrics? More secure replacement for passwords Cheap and reliable biometrics needed  Today, an active area of research Biometrics are used in security today  Thumbprint mouse  Palm print for secure entry  Fingerprint to unlock car door, etc. But biometrics not too popular  Has not lived up to its promise (yet?)

19 Biometrics A biometric should be  Universal: The ideal biometric should apply to virtually everyone.  Distinguishing: The ideal biometric should distinguish with virtual certainty.  Permanent: The physical characteristic being measured should never change.  Collectable: The physical characteristic should be easy to collect without any potential to cause harm to the subject.  Reliable, robust, and user-friendly

20 Biometrics Usage Identification:  Identify the subject from a list of many possible subjects.  E.g., a suspicious fingerprint from a crime scene is sent to the FBI fingerprint database for comparison with all records on file. In this case, the comparison is one to many. Authentication:  The comparison is one to one  E.g., if someone claiming to be Alice uses a thumbprint mouse biometric, the captured thumbprint image is only compared with the stored thumbprint of Alice.

21 Phases of Biometric System The Enrollment Phase: subjects have their biometric information entered into a database. The Recognition Phase: subjects have their biometric information entered into a database.

22 Biometric Examples Fingerprints Hand Geometry Iris Scan

23 Biometric Error Rates For fielded fingerprint biometric systems, the equal error rate is typically about 5% hand geometry has an equal error rate of about 10 −3

24 3. Something You Have For example,  a network MAC address  an ATM card  a password generator The process of a password generator is shown below:

25 Two-Factor Authentication Two or three methods can work together for authentication For example:  the password generator scheme requires both: 1. “something you have” (the password generator), and 2. “something you know” (the PIN).  Requiring two out of the three methods of authentication is known as two-factor authentication.

Download ppt "Chapter Six: Authentication 2013 Term 2 Access Control Two parts to access control Authentication: Are you who you say you are?  Determine whether access."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security-Authentication

Security-Authentication
Strong Password Protocols

Strong Password Protocols
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Biometrics Part 2  Access Control 1.

Biometrics Part 2  Access Control 1.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Similar presentations

Ads by Google