Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Authentication and access control.

Published byWalter Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Authentication and access control."— Presentation transcript:

1 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 1 Authentication and access control overview March 24, 2008

2 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 2 Outline Definitions Authentication Factors Evaluation Examples Access control Case study: Convenient SecureID Case study: Website mutual authentication

3 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 3 Definitions Identification - a claim about identity Who or what I am (global or local) Authentication - confirming that claims are true I am who I say I am I have a valid credential Authorization - granting permission based on a valid claim Now that I have been validated, I am allowed to access certain resources or take certain actions Access control system - a system that authenticates users and gives them access to resources based on their authorizations Includes or relies upon an authentication mechanism May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations

4 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 4 Building blocks of authentication Factors Something you know (or recognize) Something you have Something you are Two factors are better than one Especially two factors from different categories What are some examples of each of these factors? What are some examples of two-factor authentication?

5 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 5 Authentication mechanisms Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics

6 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 6 Evaluation Accessibility Memorability Security Cost Environmental considerations

7 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 7 Typical password advice

8 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 8 Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down So what do you do when every web site you visit asks for a password?

9 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 9 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

10 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 10

11 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 11 Problems with Passwords Selection Difficult to think of a good password Passwords people think of first are easy to guess Memorability Easy to forget passwords that aren’t frequently used Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters Reuse Too many passwords to remember A previously used password is memorable Sharing Often unintentional through reuse Systems aren’t designed to support the way people work together and share information

12 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 12 Four Mnemonic Passwords First letter of each word (with punctuation) fsasya,oF Substitute numbers for words or similar-looking letters 4sa7ya,oF Substitute symbols for words or similar-looking letters F 4sasya,oF Four 4sa7ya,oF 4s&7ya,oF score s anda seven s yearsy ago a,, our oFathers F Source: Cynthia Kuo, SOUPS 2006

13 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 13 The Promise? Phrases help users incorporate different character classes in passwords Easier to think of character-for-word substitutions Virtually infinite number of phrases Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006

14 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 14 The Problem? “Goodness” of mnemonic passwords unknown Yan et al. compared regular, mnemonic, and randomly generated passwords  Used standard (non-mnemonic) dictionary  Effectively evaluated whether mnemonic passwords contained dictionary words Source: Cynthia Kuo, SOUPS 2006

15 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 15 Source: Cynthia Kuo, SOUPS 2006 Mnemonic password evaluation Mnemonic passwords are not a panacea for password creation No comprehensive dictionary today May become more vulnerable in future Many people start to use them Attackers incentivized to build dictionaries Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

16 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 16 Password keeper software Run on PC or handheld Only remember one password

17 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 17 Single sign-on Login once to get access to all your passwords

18 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 18 BiometricsBiometrics

19 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 19 Graphical passwords

20 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 20 “Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently used sites?

21 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 21 Convenient SecureID 1 Source: http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx What problems does this approach solve? What problems does is create?

22 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 22 Convenient SecureID 2 Sources: http://fob.webhop.net/ What problems does this approach solve? What problems does is create?

23 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 23 Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable- authentication/2007Mar/0004.html 1.User gets ID, password (or alternative), image, hotspot at enrollment 2.Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons 3.Then login box appears and user enters username and password (or alternative) 4.Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear) 5.User finds their image and clicks on hotspot  Image manipulation can help prevent replay attacks What problems does this solve? What problems doesn’t it solve? What kind of testing is needed

24 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 24 Types of access control Discretionary access control Distributed, dynamic, users set access rules for resources they own and can delegate access to others Role-based access control Centralized admin assigns users to roles and sets access rules based on roles And many others that vary discretionary/mandatory centralized/distributed granularity grouping

25 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ 25 Access control usability problems Admins, large organizations understanding large access control policies Someone in marketing changed a policy and now we can’t figure out why people in sales no longer have access to a document Who has access to this document anyway? End users creating and understanding policies Examples: File system permissions, Grey, Perspective, privacy rules Home users want to share some files with some other users, but don’t want to share everything

26 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ Policy conflicts Given Alice is in GroupA and GroupB FileQ is in FolderX What types of conflicts might occur? Direct conflict Alice allowed access to FileQ Alice denied access to FileQ Group/group conflict GroupA allowed access to FileQ GroupB denied access to FileQ User/group conflict Alice allowed access to FileQ GroupA denied access to FileQ File/directory conflict Alice allowed access to FileQ Alice denied access to FolderX 2-way conflict Alice allowed access to FileQ GroupA denied access to FolderX 26

27 Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor http://cups.cs.cmu.edu/courses/ups.html/ How can conflicts be resolved? Default rule – deny/allow takes precedence Ordered rules – policy author sets order Ordered rules – most recent first/last Specificity – most/least specific takes precedence Weighted rules – policy author assigns weights Exceptions – policy authors defines exceptions (essentially a partial ordering) Combination 27

Download ppt "Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Authentication and access control."

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Building Secure Mashups D. K. Smetters PARC Usable.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Online Submission and Management Information -- Authors

Online Submission and Management Information -- Authors
Access Control Methodologies

Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication.

Authentication. Definitions Identification - a claim about identity Identification - a claim about identity –Who or what I am (global or local) Authentication.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.

CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Similar presentations

Ads by Google