Presentation is loading. Please wait.

Presentation is loading. Please wait.

Codes & Ciphers Ltd 12 Duncan Road Richmond, Surrey TW9 2JD Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX Impersonation.

Published byGrant Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "Codes & Ciphers Ltd 12 Duncan Road Richmond, Surrey TW9 2JD Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX Impersonation."— Presentation transcript:

1 Codes & Ciphers Ltd 12 Duncan Road Richmond, Surrey TW9 2JD Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX Impersonation Attacks Fred Piper

2 Crete - 20072 Outline Information security User recognition –Use of passwords/PINs/cryptogrphic keys –Use of ‘tokens’ Phishing Protection against man-in-the-middle attacks Multi factor or multi channel? The use of mobile phones as a ‘token’ for user recognition?

3 Crete - 20073 What is Information Security? Some features include: Confidentiality – Protecting information from unauthorised disclosure Integrity – Protecting information from unauthorised modification, and ensuring that information can be relied upon and is accurate and complete Availability – Ensuring information is available to authorised users when they need it

4 Crete - 20074 Defences and Attacks Defences: Introduce security mechanism to protect data –Technical –Procedural –Contractual Introduce strong authentication mechanism Attacks: Break the technical security mechanism Impersonate an authorised entity by breaking procedural mechanism

5 Crete - 20075 User Recognition (1) 3 factors: 1) Something you know (Password/PIN/Cryptographic Key) 2) Something you own (Token) 3) Personal characteristic (Biometrics) NOTE: Usually one-way authentication Tokens and biometrics often require ‘readers’ ‘Danger’ of false ‘readers’ Cost issues

6 Crete - 20076 User Recognition (2) Many systems rely on more than 1 factor For multi-factor systems compromise of 1 factor should not enable impersonation The PIN/magnetic stripe card for ATM networks is an example of a 2-factor system where each individual factor is ‘weak’

7 Crete - 20077 Something You Know Password PIN Cryptographic key Obvious observations: –A PIN is a password with limited alphabet –A cryptographic key may be regarded as a (secret) password which the user may use but probably not know –Policies for the management of PINs and Passwords are inconsistent

8 Crete - 20078 Password Policy It is often recommended that: Users should adopt a large alphabet (at least alpha- numeric with upper and lower case letters) Passwords should be long (at least 8 characters?) Passwords should be randomly generated Passwords should be different for each system Passwords should be changed frequently Passwords should not be written down

9 Crete - 20079 PINs Personal identification number Usually 4 digits (sometimes 6) –Reason: users will not be able to remember longer PINs! NOTE: This is inconsistent with general password policy. Undoubtedly a weak password

10 Crete - 200710 Cryptographic Keys It is the use of a cryptographic key, rather than revealing its value, that identifies a user

11 Crete - 200711 Cipher System Cryptogram c Encryption Key Encryption Algorithm Message m Decryption Algorithm Decryption Key Message m Interceptor Key establishment channel (secure)

12 Crete - 200712 Two Types of Cipher System Conventional or Symmetric –Decryption Key easily obtained from Encryption Key Public or Asymmetric –Computationally infeasible to determine Decryption Key from Encryption Key

13 Crete - 200713 Keys as Identifiers Asymmetric System –Use of the private key acts as an identifier to ‘everyone’ Symmetric System –Use of a key identifies users only to those (trusted) people who share that key NOTE: If an asymmetric system is used, an impersonator may either 1. obtain the use of the user’s private key 2. substitute their public key for that of the user

14 Crete - 200714 Authentication Using Smart Tokens Static Password Tokens –Owner authenticates himself to token –Token identified owner to system Dynamic Password Tokens –Token generates new password –(Owner activates token with PIN) –Owner enters ID plus dynamic password –System knows which dynamic password to accept Challenge-Response Tokens –System generates challenges –Owner activates token with PIN and enters challenge –Token generates response (probably challenge encrypted with key that is unique to token) –System knows which response to accept

15 Crete - 200715 Dynamic Passwords User’s password changes frequently (possibly at each log-in) Change influenced by at least one of: Secret information known to user Intelligent device which is unique to user

16 Crete - 200716 Challenge/Response for Dynamic Password Given an unpredictable challenge, user’s token produces a response which is: Appropriate to the challenge Dependent on a user’s token Dependent on user’s knowledge

17 Crete - 200717 The Challenge / Response Principle for hand-held token Key Random number ChallengePIN-Controlled A A Response A - encrypt or OWF Y/N = ? HOST USER

18 Crete - 200718 Impersonation Attacks 1-way authentication –Steal and/or copy token –Guess or ‘observe’ password/PIN/cryptographic key –Con the user into divulging password/PIN eg phishing –Gain access to device using key 2-way authentication –Man-in-the-middle

19 Crete - 200719 Phishing Attacks (1) Social engineering Attacker discovers secret ‘information known’ Banking customers have been ‘prime’ targets via email messages and fake websites

20 Crete - 200720 Phishing Attacks (2) Countermeasures User education/awareness Use of 2 or 3 factor systems so that compromise of 1 factor has limited impact

21 Crete - 200721 Identification over the Internet Many applications use 2-factor systems that allow ‘card not present’ transactions Effectively a physical token is replaced by a virtual token which is nothing more than a card number This is a 1-factor system In Singapore the FA mandates use of genuine 2-factor authentication In UK banks are starting to issue customers with Chip and PIN ‘readers’

22 Crete - 200722 Phishing Browsers starting to try to detect fake websites –Google Safe Browsing for Firefox browser –Microsoft’s Internet Explorer 7 Anti-Phishing War Group (APWG) –Forum to discuss phishing issues and share best practices –www.antiphishing.org

23 Crete - 200723 Phishing Attacks Summary Enable attacks to discover secret ‘information known’ ‘Best’ countermeasure is user education/awareness Effectiveness of attack decreases for 2 or 3 factor systems Use of conventional 2 or 3 factors often expensive and needs special hardware Introduction of ‘one-time’ PINs such as ITANs for some German e-banking systems helps

24 Crete - 200724 D-H Man-in-the-Middle Attack B Fraudster F The Fraudster has agreed keys with both A and B A and B believe they have agreed a common key A F’s public key B’s public key A’s public key

25 Crete - 200725 Protection Against Man-in-the-Middle Attack Rely on TTP to establish key management infrastructure (eg PKI) Use second (independent) communications channel to confirm key between A and B (Over) Simple Example: –D-H protocol establishes 1024 shared bits –AES key is 128 bits from agreed positions –Users exchange different 32-bit sequences from the 1024 bits over second (possibly insecure) channel

26 Crete - 200726 OOB (Out of Band) Authentication Requirement A user claims an identity over a computer network Host wants to use a second channel to confirm it is the genuine user Neither party is willing to pay for ‘extra hardware’

27 Crete - 200727 Use of Two Channels Prior to PK crypto, most cryptographic systems needed a second (secure) channel for initial key establishment One motivation for introduction of PK crypto

28 Crete - 200728 OOB Communications Symmetric cryptography –Use secure second channel to enable secure communications over an insecure primary channel Authentication –Use second (possibly insecure) channel to confirm that the communications over the primary channel are secure NOTE: In this context an insecure channel is one where interception is possible.

29 Crete - 200729 Communications How does ‘token’ communicate with host: One channel or two channel system? One-way or two-way authentication? What is the interface? –The user? –A reader that is part of the network? –Other?

30 Crete - 200730 Mobile Phones There is a move towards systems where the mobile phone is ‘something you own’ No reader required No extra cost (in the sense that most people have them) Use their own channel Security implications?

31 Crete - 200731 Question Are there situations where using the mobile phone as a token in a 2-factor system and using a second communication channel can decrease the chance of successful impersonation attacks?

Download ppt "Codes & Ciphers Ltd 12 Duncan Road Richmond, Surrey TW9 2JD Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX Impersonation."

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
DIGITAL SIGNATURES Fred Piper & Mert Özarar Codes & Ciphers Ltd 12 Duncan Road Richmond Surrey TW9 2JD Information Security Group Royal Holloway, University.

DIGITAL SIGNATURES Fred Piper & Mert Özarar Codes & Ciphers Ltd 12 Duncan Road Richmond Surrey TW9 2JD Information Security Group Royal Holloway, University.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.

Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.

Similar presentations

Ads by Google