Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication."— Presentation transcript:

1 Authentication

2 Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication - confirming that claims are true Authentication - confirming that claims are true –I am who I say I am –I have a valid credential Authorization - granting permission based on a valid claim Authorization - granting permission based on a valid claim –Now that I have been validated, I am allowed to access certain resources or take certain actions Access control system - a system that authenticates users and gives them access to resources based on their authorizations Access control system - a system that authenticates users and gives them access to resources based on their authorizations –Includes or relies upon an authentication mechanism –May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations Slides modified from Lorrie Cranor, CMU

3 Building blocks of authentication Factors Factors –Something you know (or recognize) –Something you have –Something you are Mechanisms Mechanisms –Text-based passwords –Graphical passwords –Hardware tokens –Public key crypto protocols –Biometrics

4 Two factor systems Two factors are better than one Two factors are better than one –Especially two factors from different categories Question: What are some examples of two- factor authentication?

5 Evaluation Accessibility Accessibility Memorability Memorability –Depth of processing, retrieval, meaningfulness Security Security –Predictability, abundance, disclosure, crackability, confidentiality Cost Cost Environmental considerations Environmental considerations –Range of users, frequency of use, type of access, etc.

6 Typical password advice

7 Pick a hard to guess password Pick a hard to guess password Don’t use it anywhere else Don’t use it anywhere else Change it often Change it often Don’t write it down Don’t write it down –Do you? Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

8 Problems with Passwords Selection Selection –Difficult to think of a good password –Passwords people think of first are easy to guess Memorability Memorability –Easy to forget passwords that aren’t frequently used –Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters Reuse Reuse –Too many passwords to remember –A previously used password is memorable Sharing Sharing –Often unintentional through reuse –Systems aren’t designed to support the way people work together and share information

9 How Long does it take to Crack a Password? Brute force attack Brute force attack Assuming 100,000 encryption operations per second Assuming 100,000 encryption operations per second FIPS Password Usage FIPS Password Usage –3.3.1 Passwords shall have maximum lifetime of 1 year http://geodsoft.com/howto/password/cracking_passwords.htm#howlong Password Length

10 The Password Quiz What is your score? What is your score? Do you agree with each piece of advice? Do you agree with each piece of advice? What is most common problem in the class? What is most common problem in the class? Any bad habits not addressed? Any bad habits not addressed?

11 Check your password http://www.securitystats.com/tools/password.php Question: Why don’t all sites do this? https://www.google.com/accounts/EditPasswd

12 Text-based passwords Random (system or user assigned) Random (system or user assigned) Mnemonic Mnemonic Challenge questions (semantic) Challenge questions (semantic) Anyone ever had a system assigned random password? Your experience? Anyone ever had a system assigned random password? Your experience?

13 Four Mnemonic Passwords First letter of each word (with punctuation) fsasya,oF Substitute numbers for words or similar-looking letters 4sa7ya,oF Substitute symbols for words or similar-looking letters F 4sasya,oF Four 4sa7ya,oF 4s&7ya,oF score score s andaand seven seven sseven yearsy ago a,, our oFathers F Source: Cynthia Kuo, SOUPS 2006

14 The Promise? Phrases help users incorporate different character classes in passwords Phrases help users incorporate different character classes in passwords –Easier to think of character-for-word substitutions Virtually infinite number of phrases Virtually infinite number of phrases Dictionaries do not contain mnemonics Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006

15 Memorability of Password Study Goal Goal –examine effects of advice on password selection in real world Method: experiment Method: experiment independent variables? independent variables? Advice given Advice given Dependent variables? Dependent variables? Attacks, length, requests, memorability survey Attacks, length, requests, memorability survey

16 Study, cont. Conditions Conditions –Comparison –Control –Random password –Passphrase (mnemonic) Students randomly assigned Students randomly assigned Attacks performed one month later Attacks performed one month later Survey four months later Survey four months later

17 Results All conditions longer password than comparison group All conditions longer password than comparison group Random & passphrase conditions had significantly fewer successful attacks Random & passphrase conditions had significantly fewer successful attacks Requests for password the same Requests for password the same Random group kept written copy of password for much longer than others Random group kept written copy of password for much longer than others Non-compliance rate of 10% Non-compliance rate of 10% What are the implications? What are the strengths of the study? Weaknesses?

18 Source: Cynthia Kuo, SOUPS 2006 Mnemonic password evaluation Mnemonic passwords are not a panacea, but are an interesting option Mnemonic passwords are not a panacea, but are an interesting option –No comprehensive dictionary today May become more vulnerable in future May become more vulnerable in future –Users choose music lyrics, movies, literature, and television –Attackers incentivized to build dictionaries Publicly available phrases should be avoided! Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

19 Password keeper software Run on PC or handheld Run on PC or handheld Only remember one password Only remember one password How many use one of these? How many use one of these? Advantages? Advantages? Disadvantages? Disadvantages?

20 “Forgotten password” mechanism Email password or magic URL to address on file Email password or magic URL to address on file Challenge questions Challenge questions Why not make this the normal way to access infrequently used sites? Why not make this the normal way to access infrequently used sites?

21 Challenge Questions Question and answer pairs Question and answer pairs Issues: Issues: –Privacy: asking for personal info –Security: how difficult are they to guess and observe? –Usability: answerable? how memorable? How repeatable? What challenge questions have you seen? Purpose?

22 Challenge questions How likely to be guessed? How likely to be guessed? How concerned should we be about How concerned should we be about –Shoulder surfing? –Time to enter answers? –A knowledgeable other person? –Privacy?

23 Graphical Passwords We are much better at remembering pictures than text We are much better at remembering pictures than text User enters password by clicking on on the screen User enters password by clicking on on the screen –Choosing correct set of images –Choosing regions in a particular image Potentially more difficult to attack (no dictionaries) Potentially more difficult to attack (no dictionaries) Anyone ever used one? Anyone ever used one?

24 Schemes Choose a series of images Choose a series of images –Random[1] –Passfaces[2] –Visual passwords (for mobile devices)[3] –Provide your own images 1.R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proceedings of 9th USENIX Security Symposium, 2000. 2.http://www.realuser.com/http://www.realuser.com/ 3.W. Jansen, et al, "Picture Password: A Visual Login Technique for Mobile Devices," National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003.

25 Schemes Click on regions of image Click on regions of image –Blonder’s original idea: click on predefined regions [1] –Passlogix – click on items in order [2] –Passpoints – click on any point in order [3] 1.G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996. 2.http://www.passlogix.com/http://www.passlogix.com/ 3.S. Wiedenbeck, et al. "Authentication using graphical passwords: Basic results," in Human-Computer Interaction International (HCII 2005). Las Vegas, NV, 2005.

26 Schemes Freeform Freeform –Draw-a-Secret (DAS) I. Jermyn, et al. "The Design and Analysis of GraphicalPasswords," in Proceedings of the 8th USENIX SecuritySymposium, 1999. –Signature drawing

27 Theoretical Comparisons Advantages: Advantages: –As memorable or more than text –As large a password space as text passwords –Attack needs to generate mouse output –Less vulnerable to dictionary attacks –More difficult to share Disadvantages Disadvantages –Time consuming –More storage and communication requirements –Shoulder surfing an issue –Potential interference if becomes widespread See a nice discussion in: Suo and Zhu. “Graphical Passwords: A Survey,” in the Proceedings of the 21 st Annual Computer Security Applications Conference, December 2005.

28 How do they really compare? Many studies of various schemes… Many studies of various schemes… Faces vs. Story Faces vs. Story –Method: experiment independent – participant race and sex, faces or story independent – participant race and sex, faces or story Dependent – types of items chosen, liklihood of attack Dependent – types of items chosen, liklihood of attack –Real passwords – used to access grades, etc. –Also gathered survey responses –Results: we are highly predictable, particularly for faces we are highly predictable, particularly for faces Attacker could have succeeded with 1 or 2 guesses for 10% of males! Attacker could have succeeded with 1 or 2 guesses for 10% of males! –Implications?

29 Other examples Passpoints predictable too! Passpoints predictable too! Can predict or discover hot spots to launch attacks. Can predict or discover hot spots to launch attacks. Julie Thorpe and P.C. van Oorschot. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords, in Proceedings of 16 th USENIX Security Symposium, 2007.

30 Other uses of images CAPTCHA – differentiate between humans and computers CAPTCHA – differentiate between humans and computers –Use computer generated image to guarantee interaction coming from a human –An AI-hard problem Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford. “CAPTCHA: Using Hard AI Problems for Security,” In Advances in Cryptology, Eurocrypt 2003.

31 More food for thought How concerned should we be about the weakest link/worse case user? How concerned should we be about the weakest link/worse case user? –Do we need 100% compliance for good passwords? How do we achieve? What do you think of “bugmenot” What do you think of “bugmenot”bugmenot Is it possible to have authorization without identification? Is it possible to have authorization without identification?

32 Project Groups 3 groups of 4, 1 group of 3 3 groups of 4, 1 group of 3 Form your group by the END of class next week Form your group by the END of class next week Preliminary user study of privacy or security application, mechanism, or concerns Preliminary user study of privacy or security application, mechanism, or concerns Deliverables: Deliverables: –Idea –Initial plan 5 points –Plan 20 points –Report 20 points –Presentation 5 points

33 Project Ideas Start with a question or problem… Start with a question or problem… –Why don’t more people encrypt their emails? –How well does product X work for task Y? –What personal information do people expect to be protected? Flip through chapters in the book & papers Flip through chapters in the book & papers –Follow up on existing study Examine your own product/research/idea Examine your own product/research/idea Examine something you currently find frustrating, interesting, etc. Examine something you currently find frustrating, interesting, etc.

34 Ideas?

35 A Look Ahead Next week: User studies Next week: User studies –pay attention to the method of study in your readings –ALSO: observation assignment Two weeks – rest of authentication Two weeks – rest of authentication –ALSO: project ideas due

36 Next week’s assignment Observe people using technology Observe people using technology –Public place, observe long enough for multiple users –Take notes on what you see Think about privacy and security, but observe and note everything Think about privacy and security, but observe and note everything –Write up a few paragraphs describing your observations Don’t forget IRB certification Don’t forget IRB certification

Download ppt "Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
WELCOME TO OUR READING ASSESSMENT PREP INFO PRESENTATION CONGRATULATIONS!!!

WELCOME TO OUR READING ASSESSMENT PREP INFO PRESENTATION CONGRATULATIONS!!!
Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan.

Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan.
Trustworthy Computing in My Mind: A Case Study on Visual Password Shujun Li Visiting Student at VC Group, Microsoft Research Asia Institute of Image Processing.

Trustworthy Computing in My Mind: A Case Study on Visual Password Shujun Li Visiting Student at VC Group, Microsoft Research Asia Institute of Image Processing.
3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.

3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.

User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.

05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.

CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Similar presentations

Ads by Google