Presentation is loading. Please wait.

Presentation is loading. Please wait.

NET 311 Information Security

Published byPierre-Marie Michaud Modified over 6 years ago

Similar presentations

Presentation on theme: "NET 311 Information Security"— Presentation transcript:

1 NET 311 Information Security
Networks and Communication Department Lecture 8: ACCESS CONTROL

2 CONTENTS Access Control Authentication Authorization
Steps Of Authentication Means Of Authentication Attacking a system via passwords Birthday attack Rainbow attack 23-Nov-18 Networks and Communication Department

3 ACCESS CONTROL Access Control
The term access control refer to issues concerning access of system resources. There are two primary parts to access control: Authentication Authorization 23-Nov-18 Networks and Communication Department

4 AUTHENTICATION Authentication deals with the problem of determining whether a user (or other entity) should be allowed access to a particular system or resource. (Focus in this discussion is on the methods used by humans to authenticate themselves to machines). Authentication: Who goes there? 23-Nov-18 Networks and Communication Department

5 AUTHORIZATION Restricting the actions of authenticated users is called authorization. Authenticated users are allowed access to system resources but an authenticated user is generally not given carte blanche access to all system resources. For example, we might only allow a privileged user—such as an administrator—to install software on a system. Authorization deals with more find-grained restrictions and limitations on access to various system resources. Authorization: Are you allowed to do that? 23-Nov-18 Networks and Communication Department

6 TWO STEPS OF AUTHENTICATION
The process of verifying an identity claimed by or for a system entity. An authentication process consists of two steps: • Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.) • Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier. 23-Nov-18 Networks and Communication Department

7 MEANS OF AUTHENTICATION
There are four general means of authenticating a user’s identity, which can be used alone or in combination: • Something the individual knows: Examples include a password, a personal identification number (PIN), or answers to a prearranged set of questions. • Something the individual possesses: Examples include cryptographic keys, electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token. • Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face. • Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. 23-Nov-18 Networks and Communication Department

8 PASSWORDS An ideal password is something that you know, something that a computer can verify that you know, and something nobody else can guess—even with access to unlimited computing resources. Many things act as passwords. For example, the PIN number for an ATM card is equivalent to a password. When users select passwords, they tend to select bad passwords, which makes password “cracking” surprisingly easy. 23-Nov-18 Networks and Communication Department

9 PASSWORDS Why passwords are so popular.
That is, why is “something you know” more popular than “something you have” and “something you are,” when the latter two are, presumably, more secure? The answer is, primarily, cost, and secondarily, convenience. COST: Passwords are free, while smartcards and biometric devices cost money. CONVENIENCE: Its more convenient for an overworked system administrator to issue a new password than to provide and configure a new smartcard. It’s much more convenient to reset a compromised password than to issue a user a new thumb. 23-Nov-18 Networks and Communication Department

10 CHALLENGE RESPONSE AUTHENTICATION
In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. Challenge/response: Party A, expecting a fresh message from B, first sends B a nonce (challenge) and requires that the subsequent message (response) received from B contain the correct nonce value. The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password. 23-Nov-18 Networks and Communication Department

11 EXAMPLE: SMART CARD AUTHENTICATION
23-Nov-18 Networks and Communication Department

12 PATTERN BASED AUTHENTICATION
23-Nov-18 Networks and Communication Department

13 TWO FACTOR AUTHENTICATION
Two factor authentication requires two out of the four methods of authentication. Examples of two-factor authentication system ATM card Combination of “something you have” (ATM Card) and “something you know” (PIN Number) Credit card together with a signature, a biometric thumbprint mouse that also requires a password Smart card with a PIN. 23-Nov-18 Networks and Communication Department

14 - Attacking systems via Passwords
Suppose a user logs into a client computer, and his/her password is stored on the server Suppose that the attacker Trudy is an “outsider,” that is, she has no access to a particular system. A common attack path for Trudy would be: outsider −→ normal user −→ administrator. Trudy will initially seek access to any account on the system. Attempt to upgrade her level of privilege. One weak password on a system—or in the extreme, one weak password on an entire network—could be enough for the first stage of the attack to succeed. The bottom line is that one weak password may be one too many. 23-Nov-18 Networks and Communication Department

15 ATTACKING SYSTEM VIA PASSWORD
Problem: How can we protect the user from someone who steals his/her password from the server? How can we compare securely the password entered by the user and the stored password? (Checking the validity of the Password) Solutions: The password must not be sent from the client computer to the server The password must not be sent from the server to the client computer The password should not be stored on the server Secure Solution: Cryptography comes to our rescue, Instead of storing “raw” passwords in a file, The client computer calculates the checksum of the password entered by the user, and sends it to the server (or vice versa). Encrypt Passwords Hash Passwords For a computer to determine the validity of an entered password, the computer must have something to compare against. That is, the computer must have access to the correct password. But it’s probably a bad idea to simply store passwords in a file, since this would be a prime target for Trudy. Here, as in many other areas in information security, cryptography comes to our rescue. 23-Nov-18 Networks and Communication Department

16 Birthday problem If there are ‘n’ people in a room , what is the probability that two of the people have the same birthday if none of them were born on a leap year?? But it is difficult………. How many people could have different birthday’s OR what is the probability of two people having different birthday’s? P(match)+p(different)=1 P(match)=1-p(different) 23-Nov-18 Networks and Communication Department

17 example N=5 P(diff)=365/365 *364/365*363/365*362/365*361/365
= P(match)=1-p(diff) P(match)= 23-Nov-18 Networks and Communication Department

18 BIRTHDAY ATTACK Suppose I want to write a message, I SHALL COME” and confirm it with checksum. I want that “I SHALL NOT COME” to have the same checksum”. Write many versions of “Yes” and “No” and calculate the checksum for each. 23-Nov-18 Networks and Communication Department

19 BIRTHDAY ATTACK Versions of “YES‟: I shall come I shall come soon
Arriving any minute Get your computer to help you with more versions… Versions of “NO‟: I shall not come I shall never come Don’t wait for me 23-Nov-18 Networks and Communication Department

20 BIRTHDAY ATTACK 23-Nov-18 Networks and Communication Department

21 BIRTHDAY ATTACK Using the same analogy for passwords. 23-Nov-18
Networks and Communication Department

22 BIRTHDAY ATTACK 23-Nov-18 Networks and Communication Department

23 BIRTHDAY ATTACK 23-Nov-18 Networks and Communication Department

24 BIRTHDAY ATTACK 23-Nov-18 Networks and Communication Department

25 HASHING THE PASSWORDS Hashes of the password are stored. ID,H(P)
When user submits password, it is hashed and compared to the stored password. If attacker gets access of the database, practically impossible to take a hash value and directly determine the password.(One way ness and collision resistance property for hashes). 23-Nov-18 Networks and Communication Department

26 HASHING THE PASSWORDS 23-Nov-18 Networks and Communication Department

27 HASHING THE PASSWORDS The advantage of this approach is that, if Trudy obtains the password file, she does not have the actual passwords—instead she only has the hashed passwords. Of course, if Trudy knows the hash value y, she can guess likely passwords x until she finds an x for which y = h(x), at which point she will have found the password. But at least Trudy has work to do after she has obtained the password file. 23-Nov-18 Networks and Communication Department

28 PRE CALCULATED HASHES AND RAINBOW TABLES
How to speed up brute force attack? Use hash values calculated by some one else. Example: 1. Suppose Trudy has a “dictionary” containing N common passwords, say d0, d1, d2, , dN−1. 2. Then she could pre-compute the hash of each password in the dictionary, that is, y0 = h(d0), y1 = h(d1), , yN−1 = h(dN−1). 3. If Trudy then gets access to a password file containing hashed passwords, she only needs to compare the entries in the password file to the entries in her pre computed dictionary of hashes. The pre computed dictionary could be reused for each password file, thereby saving Trudy the work of re computing the hashes. How big is the database of computed hashes ? In raw form, too big to be to be practical (100 to thousands of TB). Drawback: Reduced search time but increases storage space. 23-Nov-18 Networks and Communication Department

29 PRE CALCULATED HASHES AND RAINBOW TABLES
23-Nov-18 Networks and Communication Department

30 PRE CALCULATED HASHES AND RAINBOW TABLES
Example: Time Memory tradeoff It is possible to spend some time and calculate hashes of all possible passwords How many passwords are there? 26 8 =2· 10 11 If we process 106 password per second, we can finish the search in three days. It is expensive to store that much information For comparison, all servers of Google store approximately bytes. 23-Nov-18 Networks and Communication Department

31 RAINBOW TABLE How to generate chains in the Rainbow Tables:
Start with a password •Generate its hash •Treat this hash as a password •Repeat a number of times (for instance, a million times) 23-Nov-18 Networks and Communication Department

32 RAINBOW TABLE Instead of storing a million passwords and hashes, we only need to store one pair of password and hash All passwords/hashes between them don‟t need to be stored. 23-Nov-18 Networks and Communication Department

33 RAINBOW ATTACK Now suppose an attacker wants to find out what password corresponds to a given hash. This hash belongs to one of our rainbow chains By hashing this hash sufficiently many times, we find out in which of our chains it is contained Then we only need to re-calculate this one chain 23-Nov-18 Networks and Communication Department

34 BUILD RAINBOW TABLE 23-Nov-18 Networks and Communication Department

35 HASH THE GIVEN HASH REPEATEDLY UNTIL ONE OF THE STORED HASHES IS OBTAIMED
23-Nov-18 Networks and Communication Department

36 FIND THE PASSWORD MATCHING THE HASH
23-Nov-18 Networks and Communication Department

37 References Cryptography and Network Security: Principles and practice’, William Stallings Fifth edition, 2011. Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 21 – “Malicious Software”. Lecture slides by Dr Alexei Vernitski, University of Essex , 2013 23-Nov-18 Networks and Communication Department

Download ppt "NET 311 Information Security"

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Computer Security Set of slides 5 Dr Alexei Vernitski.

Computer Security Set of slides 5 Dr Alexei Vernitski.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.

14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
CSCE 201 Identification and Authentication Microsoft support Fall 2010.

CSCE 201 Identification and Authentication Microsoft support Fall 2010.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 3 – User Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 3 – User Authentication.
Lecture 11: Strong Passwords

Lecture 11: Strong Passwords
Entity Authentication

Entity Authentication
Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.

Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.

Similar presentations

Ads by Google