Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD.

Published byMark Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD."— Presentation transcript:

1 Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD

2 I&A Introduction Purpose: to identify a user to the system To authenticate someone, at least one of the following factors must be supplied: –Something known (user name and password) –Something owned (password token) –Some physical characteristic (fingerprint, retinal scan, voice scan) Authentication is weak if only one is supplied. Two are required for strong authentication.

3 E-Commerce and Authentication To have the flexibility of money, I&A should not be required until a purchase is made. You can require the user to log into your site, but most authentication schemes are very weak. You will be liable if the user data escapes due to weak authentication. (Risk!) SSL authenticates the web site to the user, not the user to the web site. The user authenticates herself by providing credit card details. Consider paying a third party to handle this.

4 Passwords Local login –Provide a user ID –Then provide a password Remote logins are similar –telnet, rlogin, rsh, ssh (terminal sessions) –ftp, ncftp, sftp, rcp, scp (file transfer) Avoid telnet, ftp, ncftp, rlogin, rsh, and rcp. They transmit I&A data in the clear.

5 Implementing Passwords Do not store passwords in the clear. Store the encrypted password and compare to that. Password files should not be accessible to users. Hackers can run ‘crack’ against them in a dictionary attack. Consider running ‘crack’ regularly against your own password file. UNIX provides a ‘salt’ field in the password file unlike Windows. This is concatenated with the password before encryption (using DES), increasing the search space for ‘crack’.

6 Good Password Policies 6 or more characters Change every 30-60 days Passwords must be used for at least 2-7 days Previous passwords cannot be reused. Three+ different character types (upper case, lower case, numbers, symbols) Avoid weak passwords (names, addresses, phone numbers, SSNs, common dictionary words or phrases, and simple variations on the above).

7 An Approach to Choosing Stronger Passwords (Suggested by Qinetiq.) Start with a phrase about a date. Use the initials, lower case and upper case alternating. Insert a special character somewhere. Remember September 11th, 2001! rS1101! My birthday is February 29th! mBiF29!

8 Tokens Rather than something you know (password), you provide something you own. The usual approach is that you provide an identifier (the first factor), and The system then sends you a challenge that you respond to (the second factor). The response is generated by a device that you keep in your possession.

9 Biometrics The system identifies you by something you are: –Fingerprint(s) –Retina pattern –Iris pattern –Facial pattern –Voice Demands good and expensive technology.

10 Handling Special Requirements (Example) FAA system administrators at an enroute control center work as a team, under the supervision of a NAS Operations Manager (NOM). Logging in would disrupt teamwork and delay response to emergencies. Hence I&A is handled procedurally, except at terminals away from the central operations area. In the central operations area, the team logs in using a team ID and password that is only good there. Elsewhere individual ID/PW are required.

11 FIA—CC User Identification and Authentication Functions FIA_AFL –How do you handle a login failing (possibly repeatedly)? FIA_UID –How does a user identify herself? –What actions may an unidentified user take? FIA_SOS –Do you generate passwords or other secrets for the user? –If not, do you test user-provided passwords or other secrets for strength?

12 CC User Authentication Functions FIA_UAU –What user actions do you allow before the identified user must authenticate herself? –How many authentication mechanisms are used? –What are the authentication mechanisms? –Under what conditions must the user reauthenticate herself? –How does the system avoid letting the user know why ID and authentication failed?

13 Miscellaneous CC I&A Functions FIA_ATD –What security attributes are associated with the individual? FIA_USB –Does the system associate user actions with user identity? FTA_TSE –What factors (access port, ID, user location) affect whether a user is allowed to establish a session?

14 More Miscellaneous CC I&A Functions FTA_TAH –Does the system report an access history to the user at session establishment? FTP_TRP –Is there a trusted path between the user and the system? Can it be enforced? AGD_ADM –Administrator guidance documentation. AGD_USR –User guidance documentation.

15 Conclusions Strong authentication is desirable. Costs are significant. Not really compatible with e-commerce. Vulnerable to social engineering and the general public availability of private data.

Download ppt "Identification and Authentication University of Sunderland COM380 Harry R. Erwin, PhD."

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies

Access Control Methodologies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Similar presentations

Ads by Google