Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 250 Authentication. Between human and machine Between machine and machine.

Published byGriffin Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "COEN 250 Authentication. Between human and machine Between machine and machine."— Presentation transcript:

1 COEN 250 Authentication

2 Between human and machine Between machine and machine

3 Human Machine Authentication Authentication protocols are based on  What you know. E.g. password, pass-phrase, (secret key, private key).  What you have. Physical key, smart card.  What you are. Biometrics.  Where you are. E.g. trusted machine, access to room, …

4 Authentication Passwords  Predate computers.  As do some attacks (stealing, guessing) Older cell phone technology transmits originating number with a password. Password good, call goes through. Eavesdropper receives phone number – password combination. Eavesdropper can now clone the phone.

5 Authentication Password Attacks  Guessing On-line  Time consuming.  Authentication attempts are usually logged.  Can detect attack long before it is likely to succeed.  Can disrupt the attack. Off-line  Attacker needs to steal relevant data from which password(s) can be determined.  Attacker can use arbitrary amount of computing power.  Capturing Passwords Eavesdropping Login Trojan Horse

6 Authentication Passwords are stored  On each server Alice uses.  Centrally: Authentication Storage Node: Each server retrieves the information when it wants to authenticate Alice.  Centrally: Authentication Facilitator Node: Each server takes Alice’s data and password and goes to the AFN.

7 Authentication Password can be stored  Unencrypted Simple Dangerous  Implicitly as hashes of passwords As in UNIX, VMS  Encrypted  Hashed and Encrypted

8 Authentication Example: Network Information Service (Yellow Pages)  Directory service is the authentication storage node.  Stores hashed passwords of users.  Typically, hashed passwords list is world readable Access by claiming to be a server.  NIS authentication storage node does not authenticate itself to users. Allows impersonation of authentication service.

9 Authentication Passwords for machine – machine communication can be made difficult to guess.  Arbitrary length  Truly random choice of characters. Human-machine passwords  Guessable  Subject to dictionary attack.

10 Authentication Dictionary attack  Most passwords are natural language words.  Or derived from natural language words.  Guess the language.  Use a dictionary to try out all words in the language.  Start with common passwords first.  Replace a single character in a word, attach a random character, etc.

11 Authentication Brute-Force Attack Generate all possible password.  Sometimes make assumptions on the alphabet only printable character characters on a key-board

12 Authentication Salting  Protects hashed passwords against an offline attack. Brute Force attack attacks all passwords in password file simultaneously.

13 Authentication Salting Store a salt with each password Hash depends on salt and password. Use different salts for different passwords. Store salt with password.

14 Authentication Salting  Brute force attack, dictionary attack can only attack a single password.

15 Authentication Passwords are compromised:  By obtaining password file. Safeguard by  Hashing and Salting  Encryption  By eavesdropping on an exchange Use one-way passwords:  Lamport Hash

16 Authentication Address Based  Common in early UNIX Rtools: .rhosts  In user home directory  (Computer, Account) pairs  These pairs are allowed access to the user’s account /etc/hosts.equiv  List of network addresses of “equivalent” machines  Account name on A is equivalent to account name on B.  Users have to have identical account names.

17 Authentication Addressed based authentication threatened by  Access escalation Attacker gains access to one hosts. Access cascades to equivalent hosts / rhosts.  Spoofing addresses Very easy to spoof source address. Harder to intercept traffic back.

18 Authentication Ethernet network address impersonation  Easy on the same link.  Hubs do not protect.  Switches can be spoofed through the ARP protocol.  Routers are harder to fool, but can be attacked and provided with misleading routing data.

19 Authentication Cryptographic authentication  Alice proves her identity to Bob by proving to Bob that she knows a secret. Hashes Secret key cryptography Public key cryptography.

20 Human Machine Authentication Initial password distribution to humans  Pre-expired, strong passwords Through mail  Derivable from common knowledge Student ID

21 Human Machine Authentication Authentication Token  Possession of the token proves right to access. Magnetic stripe as on credit cards.  Harder to reproduce  “Impossible” to guess Demand special hardware Can be lost or stolen  Add pin or password protection Are not safe against communication eavesdropping and forging

22 Human Machine Authentication Authentication Token  Smart Card. Needs to be inserted in a smart card reader. Card authenticates to the smart card reader.  PIN protected smart cards.  Stops working after a number of false PINs.  Cryptographic challenge / response cards  Card contains a cryptographic key.  Authenticating computer issues a challenge.  Card solves the challenge after PIN is entered.  Harder to crack than PIN protected smart cards because key is never revealed.

23 Human Machine Authentication Authentication Token  Smart Card. Readerless smart card (Cryptographic calculator)  Communicates with owner through mini-keyboard and display.  Authenticating computer issues a challenge to Alice.  Alice types in challenge into readerless smart card.  Readerless smart card solves the challenge.  After Alice puts in her password.  Alice transfers the answer to the computer.

24 Human Machine Authentication Biometrics  Retinal scanner  Fingerprint reader  Face recognition  Iris scanner  Handprint readers  Voiceprints  Keystroke timing  Signatures

25 Authentication Security Policy Defining Protection Levels Partitioning Computing Resources  Usually necessary (law) to have special security for sensitive areas: Human Resources Accounting …  Network can be repartitioned using subnets with special protection and special procedures

26 Authentication Security Policy Defining Protection Levels Partitioning Computing Resources  Protection by naming Increase protection by not making certain systems visible from the outside Local LAN Internet external firewall external DNS server internal firewall internal DNS server

27 Authentication Security Policy Defining Protection Levels “Human resources, accounting, and other administrative support systems shall be physically partitioned from the general network in such a manner to control the flow of information to and from those systems” “Network name services shall be configured to provide Internet users with generic names to accessible internal systems while serving meaning full names to internal, organizational users.” “Network addresses shall be predefined for every system and network device and may be preloaded or resolved when logged in to the network.” “Network address servers and those used to resolve addresses shall be protected in accordance with best practice appropriate for that device.”

28 Network Access Control Typical: One external access point  Connection to ISP Gateways: Points where network traffic is transferred from the organization’s network to the internet:  Dial-in, Dial-out  Other external connections  Internet connections  Wireless connections

29 Network Access Control “All telephone access to the network shall be centrally protected by strong authentication controls. Modems shall be configured for dial- in or dial-out access but not both. The Network Administrator shall provide procedures to grant access to modem services. Users shall not install modems at any other location on the network without appropriate review and authorization.” “Any gateway proposed to be installed on the company’s network that would violate policies or procedures established from these policies shall not be installed without prior approval of the Information Security Management Committee.” “Applications that require gateway services shall be authenticated to the network. If the service itself cannot be authenticated, services carried through the gateway shall be subject to authentication policies described in this document.”

30 Login Policies User Identification Guest accounts Login Banners  Establish privacy expectation  Work as “no-trespassing” signs Login Controls Login Reporting

31 User Accounts Establishment of special privileges

32 Password Policies Policies defining strength of passwords  Length of password  Composition of password  Storage of passwords by users  Default passwords for systems / applications This problem is going away, but still  Password Testing

33 Telecommuting / Remote Access Policies Preserve security of IT assets at the organization  Employee’s equipment is probably not well protected  Authentication over the internet / dial-up Protection of organizational data  Legally / Technically  In Transit / Stored / During Processing

34 Mobile Equipment Employees work with company equipment outside of the perimeter Storing data on removable drives  USB drives

Download ppt "COEN 250 Authentication. Between human and machine Between machine and machine."

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies

Access Control Methodologies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
第十章 1 Chapter 10 Authentication of People. 第十章 2 Introduction This chapter deals with password-related issues like how to force users to choose unguessable.

第十章 1 Chapter 10 Authentication of People. 第十章 2 Introduction This chapter deals with password-related issues like how to force users to choose unguessable.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Chapter 9 Overview of Authentication System

Chapter 9 Overview of Authentication System
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

Similar presentations

Ads by Google