Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication and Identification

Published byGeoffroy Raphaël Boulet Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication and Identification"— Presentation transcript:

1 Authentication and Identification
G53SEC Authentication and Identification Who? What? Where? 1

2 Overview of Today’s Lecture:
G53SEC Overview of Today’s Lecture: Username and Password Managing Passwords Choosing Passwords Spoofing Attacks Protecting the Password File Single Sign-On Alternative Approaches Summary 2

3 Username and Password:
G53SEC Username and Password: Identification – Who you are Authentication – You are who you claim to be Entity Authentication “The process of verifying a claimed identity” TOCTTOU – time of check to time of use 1. First contact with security = log –in screen 2. Identification – username 3. Authentication – password 4. Checked against database/file 5. If ok then logged in else 6. Repeat until logged in or threshold reached – e.g. ATM’s ---- TOCTTOU – a type of race condition prevented by repeated authentication e.g. paying in a shop and taking away a bank note e.g. changing a website by a user and an admin restricting its access after it is opened 3

4 Repeated authentication – at start as well as during a session
G53SEC continued… Repeated authentication – at start as well as during a session First line of defence Widely accepted Not too difficult to implement Managing passwords – expensive Common way of getting in If authentication only defense, then system easily breakable 4

5 compromise of the password file
G53SEC continued… forgotten passwords password guessing password spoofing compromise of the password file Remember User has a vital role in password protection Revealing passwords, giving them to friends Writing them on a post-it 5

6 Password = a secret between user and system
G53SEC Managing Passwords: Password = a secret between user and system Issues Password ends up in right hands? Interception? No password yet? New passwords – delay ok Forgotten passwords – instant remedy necessary Mail, , phone, web Don’t give pwd to caller but call back Call user’s manager Pwds valid for single sing in only – change required immediately Courier with personal delivery Confirmation on a different channel Big firms – 24h hot desk – a major cost factor --- Example – hotel with pins on piece of paper – toilet – locked out for the night 6

7 Critical security issue Keeping probability of guessing to minimum
G53SEC Choosing Passwords: Critical security issue Keeping probability of guessing to minimum Guessing strategies: Exhaustive search – brute force Intelligent search – e.g. dictionary attack 7 7

8 Change default passwords
G53SEC continued… Defences: Change default passwords Password length Password format Avoid obvious passwords Minimal pwd length should be set Mix upper & lower chars + special chars Avoid words in a dictionary etc.. 8 8

9 Further security improvements: Password checkers Password generation
G53SEC continued… Further security improvements: Password checkers Password generation Password aging Limit login attempts A combination of all those = highest security? Check against weak passwords – dictionary or format Random pswds – users not allowed to pick own pswds Pswds expire after a while – problem with changing 7 times and use old again or pwd01 9 9

10 continued… G53SEC Similar when passwords changed too frequently
pwd01, pwd02, etc… 10 10

11 Opens a way for a new attack – Social Engineering
G53SEC continued… People forget Contact an operator Opens a way for a new attack – Social Engineering Regularly used passwords best remembered Tip - don’t change passwords before the weekend or holidays Even when people adhere to all these, they sometimes forget Social engineering - based on social rather than technical skills – bullying sysadmin 11 11

12 Don’t look at security mechanisms in isolation
G53SEC to remember… Don’t look at security mechanisms in isolation Too much emphasis can weaken the system Users will try to circumvent security Trade-off between Complexity and Memory 12 12

13 Unilateral authentication – one way No guarantee about end system
G53SEC Spoofing attacks: Unilateral authentication – one way No guarantee about end system Spoofing attack e.g. Fake login screen Prevention display failed login attempts trusted path (e.g. ctrl+alt+del) mutual authentication Uname + pwd = unilateral security ctrl+alt+del = secure attention sequence 13 13

14 password temporarily stored (buffer, cache, web page)
G53SEC continued… Password caching password temporarily stored (buffer, cache, web page) beyond control of user sometimes for too long This is another instance of object reuse. Example of early banking system and web cache when using the back button. Close application but don’t end browser session. 14 14

15 Protecting the Password File:
G53SEC Protecting the Password File: Password compared to an entry in a password file An attractive target for an attacker Protection Cryptography Access control enforced by the OS Combination of the above + attack delay Disclosure of unencrypted password file – another password compromise Disclosure of encrypted password file – a concern – brute force attacks where limited logins don’t apply etc.. 15 15

16 f(x) is stored in the password file
G53SEC Cryptography: One-way Function A function that is relatively easy to compute but significantly harder to undo or reverse. x f(x) f(x) x f(x) is stored in the password file f(x) compared to computed f(x’) from x’ supplied by user 16 16

17 Password file can’t be world readable - Off-line dictionary attacks
G53SEC Access Control: Access Control Restricts access to files and resource to users with appropriate privileges Password file can’t be world readable - Off-line dictionary attacks or writeable - Change password Dictionary attacks – attacker encrypts all words in dictionary and compares against file Change password even if encrypted! 17 17

18 Password + Additional Info (Salt) - > Encrypt
G53SEC continued… Password salting Password + Additional Info (Salt) - > Encrypt Remember Combination of mechanisms can enhance protection Separate security relevant and openly available data (e.g. /etc/passwd and shadow password files) Salting when it is not possible to hide password file. Useful as direct encryption of dictionary doesn’t work The extra info is required And even if same 2 passwords used, can be found out easily 18 18

19 Not convenient to repeatedly authenticate
G53SEC Single Sign-On: Not convenient to repeatedly authenticate Whether one or multiple passwords Single Sign-On Password entered once. Stored by system and subsequently authenticating on your behalf. Convenient But new problems arise – storage of password Login machine, network, server, database, … SSO – MSN/Live messenger + hotmail or google services Storge of passwords & password in clear sometimes Again the curse of convenience vs. security 19 19

20 Alternative Approaches:
G53SEC Alternative Approaches: Something you know Something you hold Who you are What you do Where you are 20 20

21 Knowledge of a “secret” - Password - PIN - Personal Details
G53SEC Something You Know: Knowledge of a “secret” - Password - PIN - Personal Details Anybody who obtains your secret = YOU No trace of passing secret to someone else Can you prove your innocence? Example using Mothers maiden name – Iceland no surnames - Some cultures – women don’t change name after marriage 21 21

22 Card (Smart cards, RFID cards) Identity Tag
G53SEC Something You Hold: Physical token A key to a lock Card (Smart cards, RFID cards) Identity Tag Can be lost or stolen Again the one in possession becomes you Used in combination with something you know Debit cards come with a pin Student ID cards come with a photo 22 22

23 Biometric schemes – unique physical characteristics Face Fingerprints
G53SEC Something You Are: Biometric schemes – unique physical characteristics Face Fingerprints Iris patterns, etc… Accuracy of training and authentication “forged” fingers Mutilations Acceptable by users? 23 23

24 Enrolment - Collection and storage of reference templates
G53SEC Biometrics: Enrolment - Collection and storage of reference templates Identification – Finding a user in a database of templates Verification - Comparison against the reference template of identified user Matching algorithm – calculates similarity between reference template and current reading. If similarity above certain threshold, accept user. Reference templates – e.g. samples of users fingers 24 24

25 False positives – Accepting the wrong user
G53SEC Biometrics: False positives – Accepting the wrong user False negatives – Rejecting a legitimate user A balance needs to be found! State-of-the-art fingerprint recognition schemes have error rates of around 1-2% If threshold not good! 25 25

26 Mechanical Tasks – repeatable and specific to individual
G53SEC What You Do: Mechanical Tasks – repeatable and specific to individual Handwritten signatures Writing speed and pressure Keyboard typing speed and intervals between keys Again needs to take into account false positives and negatives 26 26

27 Operator console vs. arbitrary terminal Office workstation vs. home PC
G53SEC Where You Are: Location of access Operator console vs. arbitrary terminal Office workstation vs. home PC Geographical location IP address or GPS for locating users Not reliable on its own Should be used in combination with other mechanisms 27 27

28 - A Password does not authenticate a person!
G53SEC To remember: - A Password does not authenticate a person! - Successful authentication = user knows a particular secret - No way of distinguishing legitimate user and attacker who obtained the user’s credentials 28 28

29 Passwords (creation, management) Attacks on passwords
G53SEC Summary: Passwords (creation, management) Attacks on passwords Alternative approaches Next Week Access Control 29 29

30 G53SEC End 30

Download ppt "Authentication and Identification"

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Similar presentations

Ads by Google