Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

Similar presentations


Presentation on theme: "CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature."— Presentation transcript:

1 CSCI 530 Lab Authentication

2 Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature is the authentication mechanism Different from Authorization Authorization states what he/she can do on a system

3 Authentication How do we authenticate: Something they know Password Something they are Retina Fingerprint DNA Something they own Smart Card Somewhere they are Login only works at certain terminals

4 How much authentication is needed? We can use either one or a combination of all the above Client systems Normally just a login Military top secret security base Name Badge Passcode Credit card purchases Driver’s license  Name  Picture

5 How can authentication be broken? For security purposes, we need to know how authentication can be broken so we know how to prevent against it Passwords Can be Guessed Can be Cracked Smartcards Can be copied or stolen Fingerprints Can be copied by using scotch tape

6 Password Breaking Dictionary attack List of dictionary words that are tried one after another Very quick If the password is not an exact match to a word on the list, then it will fail Hybrid attack Uses a dictionary list but can detect slight variations to words, or combinations of words. Example: if the word hello is in the database, but the password is Hello, a dictionary attack will not break the password, but a Hybrid attack will Generally finds many more words than a Dictionary attack Not as quick as Dictionary attack

7 Password Breaking Bruteforce attack Will try every character combination until it finds the password EXTREMELY SLOW Will always find the password These techniques can either be used against a system or a file containing the passwords

8 Rainbow Tables Philippe Oechslin Uses a reduce function to attempt to map a hash to a password Uses chains to determine the exact password For a good primer on Rainbow Tables, see: http://kestas.kuliukas.com/RainbowTables/ Pros Can break any password in a matter of minutes Cons Must have specific Rainbow Table for a particular hashing function Can be defeated using Salts

9 Detecting someone trying to break into a system Auto-logout If the user enters the wrong password n times, disable their account for a certain period of time Protect your password list on your system Make sure the administrator has access and no one else, so a normal user cannot copy it onto another system

10 This week’s lab Using a Virtual Linux system Login as root, create user names, then copy the password file to the Windows host system Use John the Ripper to break the passwords in the password file Must be done in lab since we are using a Linux virtual machine


Download ppt "CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature."

Similar presentations


Ads by Google