Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University.

Published byViolet Cecily Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University."— Presentation transcript:

1

2 Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University

3 Section Overview Identity Identity Password Authentication Password Authentication Password System Vulnerabilities Password System Vulnerabilities Two Factor Authentication Two Factor Authentication

4 References Security in Computing, 3 rd Ed. Security in Computing, 3 rd Ed. Chapter 4 (pgs. 209-223) Chapter 4 (pgs. 209-223) Online Resources Online Resources Password Security: A Case History by Robert T. Morris and Ken Thompson Password Security: A Case History by Robert T. Morris and Ken Thompson Password Security: A Case History Password Security: A Case History Foiling the Cracker by Daniel V. Klein Foiling the Cracker by Daniel V. Klein Foiling the Cracker Foiling the Cracker

5 Common OS Security Features Audit Access Control Authentication

6 Identity and Authentication Why usernames? Why usernames? Grant access to system Grant access to system Control access to resources Control access to resources Accountability Accountability Passwords Passwords Prove you are who you say you are Prove you are who you say you are Often weakest link in system security Often weakest link in system security

7 Low-Tech Vulnerabilities Shared Passwords Shared Passwords Email Email Spoken Spoken Written down near computer Written down near computer Social Engineering Social Engineering Shoulder Surfing Shoulder Surfing Dumpster Diving or “Trashing” Dumpster Diving or “Trashing” Account slips Account slips Manuals/Documentation Manuals/Documentation

8 Early Authentication Login: scott Password: secret alice:boxcarbob:secretchris:qwertydebbie:aaaaalinda:adnilscott:secrettom:tom1alice:boxcarbob:secretchris:qwertydebbie:aaaaalinda:adnilscott:secrettom:tom1 Password file Welcome… Security was not a concern!

9 Password Encryption Login: scott Password: secret alice:kDiBZ7 bob: Fq%sd6 chris:3ybIY/debbie:1vaZlRlinda:kAQWNz scott: Fq%sd6 tom:wXmvVqalice:kDiBZ7 bob: Fq%sd6 chris:3ybIY/debbie:1vaZlRlinda:kAQWNz scott: Fq%sd6 tom:wXmvVq Password file Welcome… What if two users have the same password? One-wayHashFq%sd6

10 Salting the Password Login: scott Password: secret alice: jrhS/T2I bob: 9qW1ky!e chris:d5UTV1w5debbie:b9lvn17jlinda:9sNBXr/Z scott: pAFq%sd6 tom:q.ZFrpuN alice: jrhS/T2I bob: 9qW1ky!e chris:d5UTV1w5debbie:b9lvn17jlinda:9sNBXr/Z scott: pAFq%sd6 tom:q.ZFrpuN Password file Welcome… Encrypted passwords randomized but still readable. One-wayHashpAFq%sd6 Salt? pA

11 UNIX Password Encryption DESOne-wayHash Password 0x00000000 Randomize Salt Asciify VsjqYhTwQiJPw balloons Vs 25 times Valid: A-Za-z0-9./ Newer systems use MD5 now

12 Lan Manager Password Encryption DESOne-wayHash Password 14charpassword 14CHARPP ASSWORDP DESOne-wayHash 0xAAD3B435B51404EE 0xE79E56A8E5C6F8FE 0xAAD3B435B51404EE

13 Windows Password Encryption 6-14 character passwords6-14 character passwords Stored in registry and filesStored in registry and files Backwards compatible with LAN Manager (2 nd entry)Backwards compatible with LAN Manager (2 nd entry) Password 16-bit character Unicode SAM MD4 One-way Hash

14 Weak Passwords No passwords used No passwords used Smoking Joes Smoking Joes Information about user Information about user Dictionary Attacks Dictionary Attacks Modification of user ID or name Modification of user ID or name Modification of dictionary(s) word(s) Modification of dictionary(s) word(s) Keyboard patterns Keyboard patterns Any systematic, algorithmic generator Any systematic, algorithmic generator

15 Dictionary Attacks alice:###### bob: 9qW1ky!e scott: pAFq%sd6 tom:######alice:###### bob: 9qW1ky!e scott: pAFq%sd6 tom:###### Quick but only catches weaker passwords One-wayHashpAFq%sd6 Salt? pA aaback…secrecysecretsecrete…zurichzygoteaaback…secrecysecretsecrete…zurichzygote Match!!! Dictionary /etc/passwd

16 Klein’s Tests (1990) Type of words in dictionary % of Broken passwords /usr/dict/words30.6% Common names 16.5% User/account name 11.2% Male/Female names 9.1% Phrases and patterns 7.5% System names 4.1% 24.2% of all passwords tested were broken. Source: Dan Klein, Foiling the Cracker

17 Selecting Strong Passwords At least 14 characters in length At least 14 characters in length Mix of case, numbers and special characters Mix of case, numbers and special characters Something you can remember Something you can remember Techniques Techniques License plating (becoming weaker) License plating (becoming weaker) Acronyms from phrases Acronyms from phrases Passphrases Passphrases

18 Pass Phrase Examples smo11012006 smo11012006 Poor Poor ardl79BEf76357 ardl79BEf76357 14 spaces 14 spaces Hard to remember Hard to remember Good Good MydogSkiplovestoplayfetcheveryday MydogSkiplovestoplayfetcheveryday 33 spaces 33 spaces Easier to remember Easier to remember Better Better Myd0gSkipluvs2playfetchev3ryday Myd0gSkipluvs2playfetchev3ryday 31 spaces 31 spaces Easier to remember Easier to remember Limit Duplicate letters –substitute with numbers, punctuation, or special characters Limit Duplicate letters –substitute with numbers, punctuation, or special characters Best Best

19 Brute Force Attacks alice:###### bob: 9qW1ky!e scott: pAFq%sd6 tom:###### Effective but very slow! One-wayHashpAFq%sd6 Salt? pA aaa…secressecretsecreu…zzzzzzzyzzzzzzzz Match!!! (Hybrids - will try rule-based dictionary attacks first) /etc/passwd

20 Rainbow Tables Brute force attacks are time consuming Brute force attacks are time consuming Alternative – Calculate all hashes ahead of time (Time/Memory tradeoff) Alternative – Calculate all hashes ahead of time (Time/Memory tradeoff) Look hash up in table to find password Look hash up in table to find password Space saved by grouping into chains Space saved by grouping into chains Salting can defeat system Salting can defeat system

21 Creating Tables Index I HashIndexReduce IHHHI o o o IH IIHHHI IIHHHI IH IH

22 Rainbow Cracking Obtain password hash to crack Obtain password hash to crack Does it match any hash at end of chains? Does it match any hash at end of chains? Yes: Stop (password is in this chain) Yes: Stop (password is in this chain) No: Reduce password and rehash No: Reduce password and rehash Repeat until match Repeat until match Keep track of number of checks Keep track of number of checks Iterate through chain to get password Iterate through chain to get password

23 Minimizing Password Threats User Education!!! User Education!!! Shadow Passwords Shadow Passwords More secure password changing programs More secure password changing programs System-wide weak-password checks System-wide weak-password checks Password Aging Password Aging Maximum time between changes Maximum time between changes Minimum time between changes Minimum time between changes

24 UNIX /etc/shadow Username Username Encrypted password Encrypted password Day last changed Day last changed Minimum # days between changes Minimum # days between changes Maximum # days between changes Maximum # days between changes Notify # days before account expires Notify # days before account expires Account Inactivation Account Inactivation Expire # days after max change (Linux) Expire after # days of inactivity (Solaris) Expiration day Expiration day Flags (unused) Flags (unused) Example: sorr: $1$KHvoRlZt$n3z6SWZa09tMU5EC4FTr9/ :12784:3:90:7::13149:

25 Biometrics Source: www.biometricgroup.com

26 Security Concerns of Biometrics U Uludag, U. and A. Jain (2004). Attacks on biometric systems: a case study in fingerprints.

27 Two Factor Authentication Something You know Something You are Something You have

28 Challenge/Response OTP Login: scott otp 87 mj1492 Response: Welcome…OTPCalculator Seq #: 87 Seed: mj1492 Pass Phrase: Open me! DOG FOX ONE TOO DOG FOX ONE TOO

29 Synchronized OTP Login: scott SecureID Code: Welcome… 234836 Changes every minute Beware of Race Condition Attacks

30 Misc. Access Control Failed attempt lockouts Failed attempt lockouts Password reuse restrictions Password reuse restrictions User can only log in if certain conditions are met: User can only log in if certain conditions are met: Time of Day Time of Day Day of Week Day of Week Location or Terminal Location or Terminal Unique for each user Unique for each user

Download ppt "Identification and Authentication CS432 - Security in Computing Copyright © 2005,2010 by Scott Orr and the Trustees of Indiana University."

Similar presentations

Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CSC 474 Information Systems Security

CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Sanjay Goel University at Albany, School of Business NYS Center for Information Forensics and Assurance 1 Password Protection.

Sanjay Goel University at Albany, School of Business NYS Center for Information Forensics and Assurance 1 Password Protection.
Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/NYS Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.

IS 302: Information Security and Trust Week 7: User Authentication (part I) 2012.
Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files.

Chapter 4 System Hacking: Password Cracking, Escalating Privileges, & Hiding Files.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.

File Protection Mechanisms  All-None Protection Lack of trustLack of trust All or nothingAll or nothing Timesharing issuesTimesharing issues ComplexityComplexity.
Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges.

Database Security DB0520 Authentication and password security Authentication options – strong, weak Review security environment - Sys Admin privileges.

Similar presentations

Ads by Google