Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Presented by Justin Daniel.

Published byJeremy Bates Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication Presented by Justin Daniel."— Presentation transcript:

1 Authentication Presented by Justin Daniel

2 What is authentication?
Process 3 steps AAA Authentication Authorization Auditing/accounting Three ways to prove who you are Something you know Something you have Something you are Authentication is the process used to verify identity. The 3 steps begin with positive identification of the person or system seeking access to secured information or services – authentication Amount of authentication should be in proportion to the level of security desired If credit cards and customer information is involved there should be a higher level of security as opposed to security required for a news group site login. That person is then granted a predetermined (set by the system admin) level of access to the resources – authorization The uses of all assets are logged by the systems this is called – auditing Three ways for a user to prove who they are Something you have -- Examples are keys, tokens, badges, and smart cards you must have to "unlock" a terminal or an account. Something you know -- The most widely used is a password, which is simple authentication. Something you are -- Examples are physiological or behavioral traits, such as your fingerprint, handprint, retina pattern or voice.

3 Usernames and Passwords Something you know
Rules for passwords Strong password creation techniques Techniques to use multiple passwords Storing passwords

4 5 rules to follow Passwords must be memorized
Choose different passwords Use at least 6 characters Longer is better Eraider is 8 Example using 8 letters in all caps =826 302,231,454,603,657,293,676,544 combos If us lower, and numeric characters =862 Use a mix of letters (uppercase and lowercase), numbers and special characters Change them periodically If they must be written down the written records must be locked up All your passwords must be unique Don’t use the same one you use to log into your checking account as the one you use to check your hotmail account.

5 Strong Password Creation
Use words to a song or phrase and add a number lifes a game golf is serious =lag7gis Combine 2 dissimilar words shell9sport Replace numbers for letters Careful Pa55w0rd Try to create passwords that are easy for you to remember but are hard for someone to recognize. The key is to create a password that means something to you so you will be able to remember it.

6 Multiple Passwords Group websites and applications and use the same password Cycle complex passwords down the groups Use a common password base Change parts of it based on where you use it sort of like torrential for the New York times web site for the Sans Institute web site You should group sites by level of security for example your financial instutions website and your financial software you might use the same password. And you might use the same password for news groups and weather related sites (if someone got into these sites it would be no loss)

7 Storing Passwords If you write them down
If you must write them down keep the document close to you for instance in your purse or wallet. They should be written is small type. Put them in an application that can be password protected and encrypted.

8 Traditional Authentication Method
Simplest Highly insecure Still in use The simplest, and unfortunately still quite common, authentication method available is the traditional local authentication method. In this model, username and password information for each authenticatable user is stored locally on the server system. Users send their usernames and passwords in plain text to the server system, which in turn compares their authentication information with its local database. If the provided username and password are found to match, the user is considered authenticated. This is basically the model used for login authentication on traditional multi-user systems, and it has been replicated numerous times within various application packages.

9 Traditional Authentication
Password Database Traditional Authentication Usr1, pass1 Usr2, pass2 3 Client Username 1 Password (Plain text) Server 2 4 Client sends username to server Client sends plain-text password to server Server compares (user, passwd) pair with its database to determine if user is authentic. Server provides services authorized for (user) if (user, passwd) matched in step 3.

10 Weaknesses of Traditional Auth.
Passwords stored in plain-text Sending plain-text username and password across network System specific passwords Was not reusable No cross authentication In many cases, users' passwords are stored in plain-text form on the server machine. Anyone who can gain access to the server's database has access to enough information to impersonate any authenticatable user. In cases in which users' passwords are stored in encrypted form on the server machine, plain-text passwords are still sent across a possibly-insecure network from the client to the server. Anyone with access to the intervening network may be able to "snoop" [username,passwd] pairs out of conversations and replay them to forge authentication to the system. Each separate system must carry its own copy of each user's authentication information. As a result, users must maintain passwords on each system to which they authenticate, and so are likely to choose less-than-secure passwords for convenience. Authentication is not reusable. That is, users must authenticate separately to each system or application they wish to access. As a result, users must repeatedly type their passwords and will tend to choose less-then-secure passwords for convenience. There is no attempt made within the model to cross-authenticate the server and client. A system which impersonates the server system (via IP address spoofing, perhaps) cannot be distinguished by the client from the real server, opening the possibility of trojan-horse servers collecting [username,passwd] pairs and later using them to authenticate to the real server.

11 Kerberos Created at MIT Three-headed dog Version 5 standard today
It was developed in 1983 Kerberos was named after the 3 headed dog that guarded the entrance to hades in greek mythology.

12 How does Kerberos work? Simple example Service B Client A 3 4 1 2 KDC
Client A logs on and sends a request to the authentication server for credentials to access service B. The request is encrypted using A’s Master Key (typically a memorized password) which the AS has in its database of encryption keys. The AS decrypts the request using A’s master key and verifies that the request did come from her. The AS then creates two copies of a new session key. It encrypts one of the copies called the ticket and identified as A with A’s master key and then the AS encrypts the other copy of the session key and calls it B with Service B’s master key. After doing so the AS sends both session keys back to Client A Client A decrypts ticket A using its master key, verifies the AS has processed the request to use service B, creates and adds an authenticator containing client A’s timestamp to the ticket and encrypts the ticket and authenticator using the session key. Client A the sends session key B and the ticket with the authenticator to Service B. Service B opens session B using Services B’s master key and extracts the session key. Using the session key, it then opens the authenticator, verifies that the username and checksum match and that the timestamp is valid (5 minutes is typical). Once Service B has determined that the session key and the authenticator match, it allows Client A to use its services until the validity period (usually 8hrs) has expired. Once the validity period has expired the process starts over. This works fine in a simple environment but in a more complex one the user would have to enter there username and password every time they need access to a different resource. Like a mail server, file server, or print server. So a Ticket-Granting ticket is introduced for larger systems 2 KDC AS

13 Kerberos Ticket Granting Server Service B Client A 5 6 2 4 1 3 KDC AS
Client A logs on the workstation with there username and password, the workstation sends a request to the AS for a Ticket granting ticket The AS receives the request for a TGT, authenticates her, uses Clients A’s master key to encrypt a new TGT, and sends if back to Client A. Now that Client A has a TGT the user will not have to keep authenticating to gain access to new services. Whenever Client A needs a new service, the workstation sends a copy of the TGT, along with the name of the server that holds the application needed, an authenticator, and the time period that she needs access to each service, to the ticket granting server requesting a ticket for each of the services she needs. Once the TGS has verified the a Client A is in fact who she says she is , using the session key to access her authenticator as in the earlier example, and assuming the TGT matches her to her authenticator, the TGS sends her tickets to use the service she needs. After receiving the appropriate tickets from the TGS, Client A’s workstation verifies that each of them is for a service that she originally requested and sends a ticket to each of the relevant servers requesting that they allow her to use there services. Each of the servers that receives a request for service verifies that the request came from the same person, or machine to which the TGS granted the ticket. As each server determines that Client A has the authority to use the service requested, it authorizes her to begin using those services. KDC AS TGS

14 Kerberos Assumptions/weaknesses
Password guessing Physically secure Secret password DoS Secure AS Authenticating device identifiers Dictionary attacks are not solved by Kerberos….an attacker can still get a users password if the user uses a week password. The assumption is made that all Servers, workstations and other devices are physically secure (behind lock and key) The user must keep there password secret…if the password is written down or given to some one the authentication method is of no use Kerberos does not help thwart DOS attacks The Authentication server and any other servers that has a cache of the keys must be secure The authentication device identifiers must not be recycled on a short term basis. An example if a user is no longer a member of the network but is not removed from the access control list. Then principal identifier is given to another user, then the user has the same access as the previous person.

15 Digital Certificates Electronic encryption and decryption
Symmetric ciphers Asymmetric ciphers Encryption is the process of converting a plain text message into a secret message and decryption reverses the process. Ciphers are techniques used to encrypt or decrypt Symmetric – use the same to key to both encrypt and decrypt They are more efficient but an attacker with the key could view all messages coming and going Asymmetric – one key for encrypting and one for decrypting The keys are different but act as a pair One of the keys is the private key and the other is the public key

16 Asymmetric Ciphers Private key Public key Certification Authorities
Private Key -- as it sounds this is the one you keep private it is used to decrypt and encrypt Public key -- once again as it would appear this is the key that is advertised to anyone and everyone Anyone can send you a message using your public key but only your private key can decrypt it and vice versa A CA is a third party entity that verifies the actual identity of an organization or individual before it provides the organization or individual with a digital certificate, kind of like a drivers license. The level of confidence placed on a CA varies It is possible a CA did not do its homework and as a result the keys are not worth much But some CA’s require a person to come to the office in person to submit paperwork and picture ID for verification. These are obviously the most secure certificates.

17 Security Tokens Something you have
Passive Tokens Active Tokens One-time passwords Counter based Clock based A security token is an authentication device that has been assigned to a specific user by an appropriate admin. Passive Tokens – Simply act as storage devices for base keys. They may transmit there code in several ways including, magnetic strips and a card reader and bar codes read by a scanner, ATM cards, CC cards are other examples Not as secure because of shoulder surfers watching you type in your pin Active Tokens – it does not emit its base token like the passive token does. Instead it creates another form of the base key that is usually encrypted or it could be a one time password. Examples are smart cards, USB tokens, PCMCIA cards that all require a proprietary reader One time passwords – Just as it sounds it is a password that is used only once and last a only a short period of time. Counter based – is an active token that produces a one time password by combining the secret password with a counter that is synchronized with the a counter on a server. Clock based – works the same as a counter based but it combines the password with an internal clock.

18 Biometrics Something you are
How they work False positive False negative Types Physical characteristics Behavioral characteristics You need to scan your chosen biometric (fingerprint, iris or signature etc) the first time, after your identity has been verified by drivers license or the like The biometric is then put into an electronic template. The template is stored in a repository (smart card, central server etc) for later use. When the user tries to gain access to a resource the biometric is scanned again A computer analyzes the biometric and compares it to the stored template. It the data provided by the current biometric matches the template then person is allowed access that is if they have authorization False positive – occurs when a unauthorized person is wrongly authenticated by biometric means. False negative – when an authorized person is not authenticated but they are actually who they say they are. For example, if a man grows a beard Types Physical Fingerprints – looks at patters no the surface of the fingertip…this is the most developed and widely used Hand geometry – measures your hand…easy to use but has low level of accuracy Retinal Scanning – analysis the layer of blood vessels located at the back of the eye. Highly accurate…difficult to use because user has to focus on a specific point and it is rather large….it is very pricy as well Iris Scanning – analyzes patterns of the colored part of the eye surrounding the pupil…high ease of use…very accurate as well Facial Scanning – looks at facial characteristics….the individual does not have to cooperate….not as efficient in low light….and features change over time Behavioral Handwritten signatures – analysis the way someone signs there name…looking at speed and pressure and shape…but users do not sign name the same every time….users like it because it less obtrusive… Voice – This technology relies on voice to print technologies…not voice recognition…your voice is transformed into text and compared to the original template…..background noise can be a problem…but may be easy to implement because many users already have microphones.

19 Misc. info Domain controller Big picture of authentication
Real world example DSA domain

Download ppt "Authentication Presented by Justin Daniel."

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.

Authentication Chapter 2. Learning Objectives Create strong passwords and store them securely Understand the Kerberos authentication process Understand.
Authentication & Kerberos

Authentication & Kerberos
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.

 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Similar presentations

Ads by Google