Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

Published byStephany Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose."— Presentation transcript:

1 Identification Authentication

2 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

3 3 Authentication Information Must be securely maintained by the system.

4 4 Elements of Authentication Person/group/code/system: to be authenticated Distinguishing characteristic: differentiates the entities to be authenticated Proprietor/system owner/administrator: responsible for the system Authentication mechanism: verify the distinguishing characteristic Access control mechanism: grant privileges upon successful authentication

5 5 Authentication Requirements Network must ensure  Data exchange is established with addressed peer entity not with an entity that masquerades or replays previous messages Network must ensure data source is the one claimed Authentication generally follows identification  Establish validity of claimed identity  Provide protection against fraudulent transactions

6 6 User Authentication What the user knows  Password, personal information What the user possesses  Physical key, ticket, passport, token, smart card What the user is (biometrics)  Fingerprints, voiceprint, signature dynamics

7 7 Passwords Commonly used method For each user, system stores (user name, F(password)), where F is some transformation (e.g., one-way hash) in a password file  F(password) is easy to compute  From F(password), password is difficult to compute  Password is not stored in the system When user enters the password, system computes F(password); match provides proof of identity

8 8 Vulnerabilities of Passwords Inherent vulnerabilities  Easy to guess or snoop  No control on sharing Practical vulnerabilities  Visible if unencrypted in distributed and network environment  Susceptible for replay attacks if encrypted naively Password advantage  Easy to modify compromised password.

9 9 Weak Passwords Bell Labs study (Morris and Thompson, 1979), 3289 passwords were examined  15 single ASCII characters, 72 two ASCII characters, 464 three ASCII characters, 477 four ASCII characters, 706 five letters (all lower case or all upper case), 605 six letters, all lower case, 492 week passwords (name, dictionary words, etc.)  Summary: 2831 passwords (86% of the sample) were weak, i.e., either too easy to predict or too short

10 10 Attacks on Password Guessing attack/dictionary attack Social Engineering Sniffing Trojan login Van Eck sniffing

11 11 Guessing Attack Exploits human nature to use easy to remember passwords Trial-and-error attack Easy to detect (failed logins) and block Need audit mechanism

12 12 Social Engineering Attacker asks for password by masquerading as somebody else (not necessarily an authenticated user) May be difficult to detect Protection against social engineering: strict security policy and users’ education

13 13 Dictionary Attacks on Passwords Attack 1:  Create dictionary of common words and names and their simple transformations  Use these to guess password Attack 2:  Usually F is public and so is the password file (encrypted)  Compute F(word) for each word in dictionary  Find match Attack 3:  Pre-compute dictionary  Look up matches

14 14 Password Salt Used to make dictionary attack more difficult Salt is a 12 bit number between 0 and 4095 It is derived from the system clock and the process identifier Compute F(password+salt); both salt and F(password+salt) are stored in the password table User: gives password, system finds salt and computes F(password+salt) and check for match Note: with salt, the same password is computed in 4096 ways

15 15 Password Management Policy Educate users to make better choices Define rules for good password selection and ask users to follow them Ask or force users to change their password periodically Actively attempt to break user’s passwords and force users to change broken ones Screen password choices

16 16 One-time Password Use the password exactly once!

17 17 Lamport’s scheme Doesn’t require any special hardware System computes F(x),F 2 (x),…, F 100 (x) (this allows 100 logins before password change) System stores user’s name and F 100 (x) User supplies F 99 (x) the first time If the login is correct, system replaces F 100 (x) with F 99 (x) Next login: user supplies F 98 (x) … and so on User calculates F n (x) using a hand-held calculator, a workstation, or other devices

18 18 Time Synchronized There is a hand-held authenticator  It contains an internal clock, a secret key, and a display  Display outputs a function of the current time and the key  It changes about once per minute User supplies the user id and the display value Host uses the secret key, the function and its clock to calculate the expected output Login is valid if the values match

19 19 Time Synchronized Secret key Time One Time Password DES

20 20 Challenge Response Work station Host Network Non-repeating challenges from the host is used The device requires a keypad User ID Challenge Response

21 21 Challenge Response Secret key Challenge One Time Password DES

22 22 Devices with Personal Identification Number (PIN) Devices are subject to theft, some devices require PIN (something the user knows) PIN is used by the device to authenticate the user Problems with challenge/response schemes  Key database is extremely sensitive  This can be avoided if public key algorithms are used

23 23 Smart Cards Portable devices with a CPU, I/O ports, and some nonvolatile memory Can carry out computation required by public key algorithms and transmit directly to the host Some use biometrics data about the user instead of the PIN

24 24 Biometrics Fingerprint Retina scan Voice pattern Signature Typing style

25 25 Problems with Biometrics Expensive  Retina scan (min. cost) about $ 2,200  Voice (min. cost) about $ 1,500  Signature (min. cost) about $ 1,000 False readings  Retina scan 1/10,000,000+  Signature 1/50  Fingerprint 1/500 Can’t be modified when compromised

Download ppt "Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 3 “User Authentication”.
CSC 474 Information Systems Security

CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Authentication & Kerberos

Authentication & Kerberos
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
第十章 1 Chapter 10 Authentication of People. 第十章 2 Introduction This chapter deals with password-related issues like how to force users to choose unguessable.

第十章 1 Chapter 10 Authentication of People. 第十章 2 Introduction This chapter deals with password-related issues like how to force users to choose unguessable.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.

Similar presentations

Ads by Google