Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.

Published byKristopher Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics."— Presentation transcript:

1 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods

2 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-2 Overview Basics Passwords –Storage –Selection –Breaking them Other methods Multiple methods

3 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-3 Basics Authentication: binding of identity to subject –Identity is that of external entity (my identity, Matt, etc.) –Subject is computer entity (process, etc.)

4 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-4 Establishing Identity One or more of the following –What entity knows (eg. password) –What entity has (eg. badge, smart card) –What entity is (eg. fingerprints, retinal characteristics) –Where entity is (eg. In front of a particular terminal)

5 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-5 Authentication System (A, C, F, L, S) –A information that proves identity –C information stored on computer and used to validate authentication information –F complementation function; f : A  C –L functions that prove identity –S functions enabling entity to create, alter information in A or C

6 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-6 Example Password system, with passwords stored on line in clear text –A set of strings making up passwords –C = A –F singleton set of identity function { I } –L single equality test function { eq } –S function to set/change password

7 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-7 Passwords Sequence of characters –Examples: 10 digits, a string of letters, etc. –Generated randomly, by user, by computer with user input Sequence of words –Examples: pass-phrases Algorithms –Examples: challenge-response, one-time passwords

8 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-8 Storage Store as cleartext –If password file compromised, all passwords revealed Encipher file –Need to have decipherment, encipherment keys in memory –Reduces to previous problem Store one-way hash of password –If file read, attacker must still guess passwords or invert the hash

9 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-9 Example UNIX system standard hash function –Hashes password into 11 char string using one of 4096 hash functions As authentication system: –A = { strings of 8 chars or less } –C = { 2 char hash id || 11 char hash } –F = { 4096 versions of modified DES } –L = { login, su, … } –S = { passwd, nispasswd, passwd+, … }

10 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-10 Anatomy of Attacking Goal: find a  A such that: –For some f  F, f(a) = c  C –c is associated with entity Two ways to determine whether a meets these requirements: –Direct approach: as above –Indirect approach: as l(a) succeeds iff f(a) = c  C for some c associated with an entity, compute l(a)

11 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-11 Preventing Attacks How to prevent this: –Hide one of a, f, or c Prevents obvious attack from above Example: UNIX/Linux shadow password files –Hides c’s –Block access to all l  L or result of l(a) Prevents attacker from knowing if guess succeeded Example: preventing any logins to an account from a network –Prevents knowing results of l (or accessing l)

12 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-12 Dictionary Attacks Trial-and-error from a list of potential passwords –Off-line: know f and c’s, and repeatedly try different guesses g  A until the list is done or passwords guessed Examples: crack, john-the-ripper –On-line: have access to functions in L and try guesses g until some l(g) succeeds Examples: trying to log in by guessing a password

13 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-13 Using Time Anderson’s formula: P probability of guessing a password in specified period of time G number of guesses tested in 1 time unit T number of time units N number of possible passwords (|A|) Then P ≥ TG/N

14 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-14 Example Goal –Passwords drawn from a 96-char alphabet –Can test 10 4 guesses per second –Probability of a success to be 0.5 over a 365 day period –What is minimum password length? Solution –N ≥ TG/P = (365  24  60  60)  10 4 /0.5 = 6.31  10 11 –Choose s such that  s j=0 96 j ≥ N –So s ≥ 6, meaning passwords must be at least 6 chars long

15 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-15 Approaches: Password Selection Random selection –Any password from A equally likely to be selected Pronounceable passwords User selection of passwords

16 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-16 Pronounceable Passwords Generate phonemes randomly –Phoneme is unit of sound, eg. cv, vc, cvc, vcv –Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not Problem: too few Solution: key crunching –Run long key through hash function and convert to printable sequence –Use this sequence as password –will assure the developer that even the short password key space will have a far greater opportunity of being fully exploited by the user.

17 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-17 User Selection Problem: people pick easy to guess passwords –Based on account names, user names, computer names, place names –Dictionary words (also reversed, odd capitalizations, control characters, “elite-speak”, conjugations or declensions, swear words, Torah/Bible/Koran/… words) –Too short, digits only, letters only –License plates, acronyms, social security numbers –Personal characteristics (pet names, nicknames, job characteristics, etc.)

18 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-18 Picking Good Passwords “LlMm*2^Ap” –Names of members of 2 families “OoHeO/FSK” –Second letter of each word of length 4 or more in third line of third verse of Star-Spangled Banner, followed by “/”, followed by author’s initials What’s good here may be bad there –“DMC/MHmh” bad at Dartmouth (“Dartmouth Medical Center/Mary Hitchcock memorial hospital”), ok here Why are these now bad passwords? 

19 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-19 Proactive Password Checking Analyze proposed password for “goodness” –Always invoked –Can detect, reject bad passwords for an appropriate definition of “bad” –Discriminate on per-user, per-site basis –Needs to do pattern matching on words –Needs to execute subprograms and use results Spell checker, for example –Easy to set up and integrate into password selection system

20 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-20 Example: OPUS Goal: check passwords against large dictionaries quickly –Run each word of dictionary through k different hash functions h 1, …, h k producing values less than n –Set bits h 1, …, h k in OPUS dictionary –To check new proposed word, generate bit vector and see if all corresponding bits set If so, word is in one of the dictionaries to some degree of probability If not, it is not in the dictionaries

21 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-21 Example: passwd+ Provides little language to describe proactive checking –test length(“$p”) < 6 If password under 6 characters, reject it –test infile(“/usr/dict/words”, “$p”) If password in file /usr/dict/words, reject it –test !inprog(“spell”, “$p”, “$p”) If password not in the output from program spell, given the password as input, reject it (because it’s a properly spelled word)

22 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-22 Salting Goal: slow dictionary attacks Method: perturb hash function so that: –Parameter controls which hash function is used –Parameter differs for each password –So given n password hashes, and therefore n salts, need to hash guess n

23 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-23 Examples Vanilla UNIX method –Use DES to encipher 0 message with password as key; iterate 25 times –Perturb E table in DES in one of 4096 ways 12 bit salt flips entries 1–11 with entries 25–36 Alternate methods –Use salt as first part of input to hash function

24 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-24 Guessing Through L Cannot prevent these –Otherwise, legitimate users cannot log in Make them slow –Backoff –Disconnection –Disabling Be very careful with administrative accounts! –Jailing Allow in, but restrict activities

25 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-25 Password Aging Force users to change passwords after some time has expired –How do you force users not to re-use passwords? Record previous passwords Block changes for a period of time –Give users time to think of good passwords Don’t force them to change before they can log in Warn them of expiration days in advance

26 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-26 Challenge-Response User, system share a secret function f (in practice, f is a known function with unknown parameters, such as a cryptographic key) user system request to authenticate user system random message r (the challenge) user system f(r) (the response)

27 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-27 Pass Algorithms Challenge-response with the function f itself a secret –Example: Challenge is a random string of characters such as “abcdefg”, “ageksido” Response is some function of that string such as “bdf”, “gkio” –Can alter algorithm based on ancillary information Network connection is as above, dial-up might require “aceg”, “aesd” –Usually used in conjunction with fixed, reusable password

28 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-28 One-Time Passwords Password that can be used exactly once –After use, it is immediately invalidated Challenge-response mechanism –Challenge is number of authentications; response is password for that particular number Problems –Synchronization of user, system –Generation of good random passwords –Password distribution problem

29 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-29 S/Key One-time password scheme based on idea of Lamport h one-way hash function (MD5 or SHA-1, for example) User chooses initial seed k System calculates: h(k) = k 1, h(k 1 ) = k 2, …, h(k n–1 ) = k n Passwords are reverse order: p 1 = k n, p 2 = k n–1, …, p n–1 = k 2, p n = k 1

30 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-30 S/Key Protocol user system { name } user system { i } user system { p i } System stores maximum number of authentications n, number of next authentication i, last correctly supplied password p i–1. System computes h(p i ) = h(k n–i+1 ) = k n–i = p i–1. If match with what is stored, system replaces p i–1 with p i and increments i.

31 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-31 Hardware Support Token-based –Used to compute response to challenge May encipher or hash challenge May require PIN from user Temporally-based –Every minute (or so) different number shown Computer knows what number to expect when –User enters number and fixed password

32 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-32 Kerberos Authentication system –Based on Needham-Schroeder with Denning-Sacco modification –Central server plays role of trusted third party (“Cathy”) Ticket –Issuer vouches for identity of requester of service Authenticator –Identifies sender

33 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-33 Idea User u authenticates to Kerberos server –Obtains ticket T u,TGS for ticket granting service (TGS) User u wants to use service s: –User sends authenticator A u, ticket T u,TGS to TGS asking for ticket for service –TGS sends ticket T u,s to user –User sends A u, T u,s to server as request to use s Details follow

34 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-34 Ticket Credential saying issuer has identified ticket requester Example ticket issued to user u for service s T u,s = s || { u || u’s address || valid time || k u,s } k s where: –k u,s is session key for user and service –Valid time is interval for which ticket valid –u’s address may be IP address or something else Note: more fields, but not relevant here

35 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-35 Authenticator Credential containing identity of sender of ticket –Used to confirm sender is entity to which ticket was issued Example: authenticator user u generates for service s A u,s = { u || generation time || k t } k u,s where: –k t is alternate session key –Generation time is when authenticator generated Note: more fields, not relevant here

36 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-36 Protocol userCathy user || TGS userCathy { k u,TGS } k u || T u,TGS userTGS service || A u,TGS || T u,TGS userTGS user || { k u,s } k u,TGS || T u,s userservice A u,s || T u,s userservice { t + 1 } k u,s

37 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-37 Analysis First two steps get user ticket to use TGS –User u can obtain session key only if u knows key shared with Cathy Next four steps show how u gets and uses ticket for service s –Service s validates request by checking sender (using A u,s ) is same as entity ticket issued to –Step 6 optional; used when u requests confirmation

38 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-38 More Details A key distribution center (KDC), which consists of two logically separate parts: –An Authentication Server (AS) and –A Ticket Granting Server (TGS). The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. –Knowledge of this key serves to prove an entity's identity. –For communication between two entities, the KDC generates a session key which they can use to secure their interactions.

39 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-39 More Details Briefly, the client authenticates to AS using a long-term shared secret and receives a ticket from the AS. Later the client can use this ticket to get additional tickets for SS without resorting to using the shared secret. These tickets can be used to prove authentication to SS. AS = Authentication Server TGS = Ticket Granting Server SS = Service Server TGT = Ticket Granting Ticket

40 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-40 User Client-based Logon Steps A user enters a username and password on the client machine. The client performs a one-way function (Hash mostly) on the entered password, and this becomes the secret key of the client/user.

41 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-41 Client Authentication Steps The client sends a cleartext message to the AS requesting services on behalf of the user. Sample message: "User XYZ would like to request services". Note: Neither the secret key nor the password is sent to the AS. The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client: –Message A: Client/TGS Session Key encrypted using the secret key of the client/user. –Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. Once the client receives messages A and B, it decrypts message A to obtain the Client/TGS Session Key. This session key is used for further communications with TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.

42 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-42 Client Service Authorization Steps When requesting services, the client sends the following two messages to the TGS: –Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service. –Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key. Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. This gives it the "client/TGS session key". Using this key, the TGS decrypts message D (Authenticator) and sends the following two messages to the client: –Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/Server Session Key) encrypted using the service's secret key. –Message F: Client/server session key encrypted with the Client/TGS Session Key.

43 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-43 Client Service Request Steps Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages: –Message E from the previous step (the client-to-server ticket, encrypted using service's secret key). –Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using client/server session key. The SS decrypts the ticket using its own secret key to retrieve the Client/Server Session Key. Using the sessions key, SS decrypts the Authenticator and sends the following message to the client to confirm its true identity and willingness to serve the client: –Message H: the timestamp found in client's Authenticator plus 1, encrypted using the Client/Server Session Key. The client decrypts the confirmation using the Client/Server Session Key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server. The server provides the requested services to the client.

44 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-44 Drawbacks Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. –The default configuration requires that clock times are no more than 10 minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.

45 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-45 Drawbacks The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244. Since the secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys. A compromised client will compromise the user's password Tickets have some fixed fields –Dictionary attacks possible –Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes

46 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-46 C-R and Dictionary Attacks Same as for fixed passwords –Attacker knows challenge r and response f(r); if f encryption function, can try different keys May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations

47 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-47 Encrypted Key Exchange Defeats off-line dictionary attacks Idea: random challenges enciphered, so attacker cannot verify correct decipherment of challenge Assume Alice, Bob share secret password s In what follows, Alice needs to generate a random public key p and a corresponding private key q Also, k is a randomly generated session key, and R A and R B are random challenges

48 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-48 EKE Protocol Alice Bob Alice || E s (p) Alice Bob E s (E p (k)) Now Alice, Bob share a randomly generated secret session key k Alice Bob Ek(RA)Ek(RA) Alice Bob Ek(RARB)Ek(RARB) Alice Bob Ek(RB)Ek(RB)

49 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-49 EKE and Off-line Dictionary Attacks The cryptographic secrets are susceptible to offline brute force attacks –This may be fine when these secrets are long random strings, but poses considerable difficulty when the secrets are passwords chosen by naïve users. –In EKE, since p and k are randomly generated over large key spaces, such attacks are expensive, even if the space of passwords is small. EKE affords a reasonable level of security even if resources are protected by bad passwords.

50 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-50 EKE and Replay Attacks An attacker with control of the communication channel may insert old, stale messages. –EKE corporate safeguards in the form of random challenges. If a party sends challenge R A encrypted by k where R A was never used before and receives another encrypted message containing R A in response, it shows that the message originator has the ability to encrypt messages with k.

51 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-51 Biometrics Automated measurement of biological, behavioral features that identify a person –Fingerprints: optical or electrical techniques Maps fingerprint into a graph, then compares with database Measurements imprecise, so approximate matching algorithms used –Voices: speaker verification or recognition Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent) Recognition: checks content of answers (speaker independent)

52 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-52 Other Characteristics Can use several other characteristics –Eyes: patterns in irises unique Measure patterns, determine if differences are random; or correlate images using statistical tests –Faces: image, or specific characteristics like distance from nose to chin Lighting, view of face, other noise can hinder this –Keystroke dynamics: believed to be unique Keystroke intervals, pressure, duration of stroke, where key is struck Statistical tests used

53 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-53 Cautions These can be fooled! –Assumes biometric device accurate in the environment it is being used in! –Transmission of data to validator is tamperproof, correct

54 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-54 Location If you know where user is, validate identity by seeing if person is where the user is –Requires special-purpose hardware to locate user GPS (global positioning system) device gives location signature of entity Host uses LSS (location signature sensor) to get signature for entity

55 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-55 Multiple Methods Example: “where you are” also requires entity to have LSS and GPS, so also “what you have” Can assign different methods to different tasks –As users perform more and more sensitive tasks, must authenticate in more and more ways (presumably, more stringently) File describes authentication required Also includes controls on access (time of day, etc.), resources, and requests to change passwords –Pluggable Authentication Modules

56 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-56 PAM Idea: when program needs to authenticate, it checks central repository for methods to use Library call: pam_authenticate –Accesses file with name of program in /etc/pam_d Modules do authentication checking –sufficient: succeed if module succeeds –required: fail if module fails, but all required modules executed before reporting failure –requisite: like required, but don’t check all modules –optional: invoke only if all previous modules fail

57 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-57 Example PAM File authsufficient/usr/lib/pam_ftp.so authrequired/usr/lib/pam_unix_auth.so use_first_pass authrequired/usr/lib/pam_listfile.so onerr=succeed \ item=user sense=deny file=/etc/ftpusers For ftp: 1.If user “anonymous”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and fail 2.Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail 3.Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed

58 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-58 Phishing phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. –Even when using server authentication, it may require tremendous skill to detect that the website is fake.

59 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-59 Phishing (cont.) Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

60 November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-60 Key Points Authentication is not cryptography –You have to consider system components Passwords are here to stay –They provide a basis for most forms of authentication Protocols are important –They can make masquerading harder Authentication methods can be combined –Example: PAM

Download ppt "November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics."

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Authentication & Kerberos

Authentication & Kerberos
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Chapter 12: Authentication

Chapter 12: Authentication
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.
1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.

1 Key Management CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 1, 2004.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.
1 Authentication CS461/ECE422 Fall 2010. 2 Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography

1 Authentication CS461/ECE422 Fall Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography

Similar presentations

Ads by Google