Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 2 - Wednesday.  What did we talk about last time?  Authentication  Challenge-response  Passwords.

Published bySusanna Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "Week 2 - Wednesday.  What did we talk about last time?  Authentication  Challenge-response  Passwords."— Presentation transcript:

1 Week 2 - Wednesday

2  What did we talk about last time?  Authentication  Challenge-response  Passwords

3

4

5

6

7  Biometrics means identifying humans by their physical and biological characteristics  This technology is often seen in spy and science fiction movies  It does exist, but it is far from perfect  Like passwords, the actual biometric scans are usually not stored  Instead specific features are stored for later comparison  Biometrics pose unique privacy concerns because the information collected can reveal health conditions

8  Historically, fingerprints are one of the most heavily used forms of biometric identification  Especially useful for solving crimes  Even identical twins have different fingerprints  Fun fact: Koalas have fingerprints so similar to human beings that even experts are fooled  Optical scanners are available  Cheap, capacitive scanners are now even available on many laptops  The image of the fingerprint is usually not stored  Instead, specific, differentiable features are recorded

9  Voice recognition systems must be trained on your voice  They can be defeated with recording devices  If you have a cold, it throws off the characteristics of your voice  As a consequence, they are particularly susceptible to both false positives and false negatives

10  As the technology matures and hardware becomes cheaper, eye recognition is becoming more common  Iris recognition looks at the patterns of light and dark areas in your iris (the colored part of your eye)  For simplicity, the image is converted to grayscale for comparison  Newer iris scanners can make successful identifications at 10 feet away or more, even correcting for glasses!  Retina scans exist but are unpopular  The retina is the tissue lining the inside of your eye and requires pupil dilation to get an accurate picture, blinding you for several minutes  There are even systems for recognizing the patterns of discolorations on the whites of your eyes!

11  The shape of your face, the distance between your eyes and nose, and other facial features are relatively distinctive  Although they can be nearly the same for identical twins  Computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc.  Participants must have a neutral facial expression or results can be thrown off  The US Department of State uses facial recognition and fingerprinting to document foreigners entering the country  Their database has over 75 million photographs

12  Hand geometry readers measure the shape of your hand  Keystroke dynamics are the patterns that you use when typing  Users are quite distinctive, but distractions and injuries can vary patterns a lot  Combinations of different biometrics are sometimes used  DNA sequencing is not (yet) fast enough to be used for authentication  Researchers are always coming up with new biometrics to use

13  People assume that they are more secure than they are  Attacks:  Fingerprints can be lifted off a champagne glass  Voices can be recorded  Iris recognition can be faked with special contact lenses  Both false positives and false negatives are possible  It is possible to tamper with transmission from the biometric reader  Biometric characteristics can change  Identical twins sometimes pose a problem

14  Sensitivity is positive results among correct matches  a / (a + c)  Specificity is negative results among people who are not sought  d / (b + d)  Accuracy is how often the test is correct  (a + d) / (a + c + b + d)  Prevalence is how common a condition is  (a + c) / (a + c + b + d) Is the Person Claimed Is Not the Person Claimed Test is Positive ab Test is Negative cd

15

16  Tokens are physical objects you possess  Keys  Badges  Cell phones  RFIDs  Passive tokens take no action and do not change  Example: photo ID  Active tokens change or interact with surroundings  Examples: RFID or magnetic card

17  The value of a static token does not change  Examples: Keys, passports, RFIDS  Static tokens are better for onsite authentication and may be easy to forge for remote authentication  Dynamic tokens have values that change  Examples: RSA SecurdID, Battle.net Authenticator  Every 60 seconds, it displays a different code

18  RSA SecurIDs change the password every 30 or 60 seconds  The user must be synchronized with the system within a few seconds to keep this practical  Using a secure hash function, we start with a seed value k, then  h(k) = k 1, h(k 1 ) = k 2, …, h(k n-1 ) = k n  Then passwords are in reverse order  p 1 = k n, p 2 = k n-1, … p n-1 = k 2, p n = k 1

19  More than one form of authentication may provide increased security  You may need to sign on with your password and with a code generated by an RSA SecurID  They sometimes need two forms of ID when you're getting a driver's license  Two-factor authentication is available for Gmail, Facebook, Battle.net, Steam and many other platforms  Often they only ask for the second form of authentication if the computer has not logged on before  Multifactor authentication is probably more secure, but it adds complexity and possibly annoyance

20  It's annoying to sign on to lots of different services with lots of different authentication mechanisms  Federated identity management schemes connect a variety of different services with one authentication method  Example: free access to the OED because you're logged on to E-town computers  Single sign-on is similar, allowing you to log in once, with services sharing authentication information  Examples: logging onto Meetup.com with Facebook or Google credentials

21

22  Subjects are human users or programs that are executing on their behalf  Objects are things that actions can be performed on  Files  Database fields  Directories  Hardware devices  Access modes are the different ways that access can be done: read, write, modify, delete, etc.  Access control is the process of managing the access modes that subjects can have on objects

23  Check every access  The user may no longer have rights to a resource  The user may have gained rights  Enforce least privilege  Least privilege means you get the bare minimum to get your job done  Verify acceptable usage  Access to an object is not enough: Some actions might be legal and others illegal

24  Many issues come up with access control  Do the correct people have the correct rights? Have statuses changed?  Granularity is the how specifically you can control rights  Maybe you can only give complete rights to an object, not read-only rights  An audit log tracks who performed what kinds of accesses  Limited privilege tries to keep accesses from doing big damage  Example: sudo in Linux

25  It is possible to temporarily use another user’s permissions in Unix using the command sudo  Users can be given special access to files or commands they normally could not access  An administrator can run at a normal privilege level and only occasionally run commands using higher privileges  This strategy prevents the whole system from being corrupted if the administrator gets a virus

26  Create a directory that lists all the objects a given user can access and their associated rights:  Examples: read, write, execute, own  The own write gives the user the ability to grant others rights to that object  Problems:  Directories can become large  How is access revoked?  What if two files in different locations in the system have the same name?

27  Listing all the objects a user can access can take up too much space  An alternative is to list all the users that have rights for a specific object  Most objects only have a few legal users  Wild cards can make the situation easier  Read access can be granted to everyone

28  Both directories and access control lists are equivalent  Different implementations are used for different kinds of efficiency  We can also imagine a matrix that holds all subjects and all objects  Although it is far too inefficient for most systems to be implemented this way, security researchers sometimes use this model for theoretical purposes  Can you determine if some sequence of operations could leak read access to your file?  Nope, it’s impossible!

29 Objects Subjectsfile 1file 2process 1process 2 process 1 read, write, own read read, write, execute, own write process 2appendread, ownread read, write, execute, own

30  A few possible rights:  Read  Write  Execute  Own  Anything else that is useful?  Some rights allow users to change the rights of others

31  What would the access control matrix look like for the Canvas gradebook system?

32  Unix has users, groups, and processes  A user has a unique UID  A group has a unique GID  A process has a unique PID  Each user can belong to many groups  Access is controlled on:  Files  Directories

33  Reading  Writing  Executing  Ownership is also important

34  Reading  Execution allows moving through the directory  Writing and executing are needed to create and delete files in a directory  There is also a “sticky bit” for directories  If the sticky bit is set, only the directory owner can rename, move, or delete files owned by other people

35 drwxr-xr-x  First character:directory or not  Next three characters: owner permissions  Next three characters: group permissions  Next three characters: other permissions

36  We can change permissions using the Linux command chmod  Examples:  chmod a+r wombat.txt  chmod g+rw combat.txt  chmod 664 ramjet.txt  Whoa! 664? What’s that?  Would it help if I pointed out that 664 can be written 110110100?

37  Role-based access control makes an effort to abstract away from specific subjects  The idea is that you should have access based on your role  Examples:  Secretaries have access to mailboxes  Department heads have access to performance reports  Provosts have access to salaries

38  A role is a collection of job functions  Each role is authorized to perform one or more transactions  The active role of a subject is the role that s is currently performing  The authorized roles of a subject make up the set of roles that the subject is authorized to assume

39

40  Finish access control  Cryptography basics  Minh Doan presents

41  Read Section 2.3  Work on Project 1  Class is canceled on Friday, March 11  The company EC Key is sponsoring a contest to come up with novel uses for their BlueTooth door access technology  Interested? Come to the meeting this Friday, 1/22 at 3:30pm in Hoover 110  Teams will be formed from CS, engineering, and business students  Ask me for more information!  Also, there's a field trip to Cargas Systems in Lancaster next Friday

Download ppt "Week 2 - Wednesday.  What did we talk about last time?  Authentication  Challenge-response  Passwords."

Similar presentations

Dr. Marc Valliant, VP & CTO

Dr. Marc Valliant, VP & CTO
ECE 5367 – Presentation Prepared by: Adnan Khan Pulin Patel

ECE 5367 – Presentation Prepared by: Adnan Khan Pulin Patel
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
BIOMETRIC VOTING SYSTEM

BIOMETRIC VOTING SYSTEM
Biometrics By: Ashley Rodriguez. Biometrics An automated method of recognizing a person based on physical or behavioral traits. Consist of two main classes.

Biometrics By: Ashley Rodriguez. Biometrics An automated method of recognizing a person based on physical or behavioral traits. Consist of two main classes.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Section 2.3.5 – Biometrics 1. Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.

Section – Biometrics 1. Biometrics Biometric refers to any measure used to uniquely identify a person based on biological or physiological traits.
By: Monika Achury and Shuchita Singh

By: Monika Achury and Shuchita Singh
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
FIT3105 Biometric based authentication and identity management

FIT3105 Biometric based authentication and identity management
Introduction to Biometrics Dr. Pushkin Kachroo. New Field Face recognition from computer vision Speaker recognition from signal processing Finger prints.

Introduction to Biometrics Dr. Pushkin Kachroo. New Field Face recognition from computer vision Speaker recognition from signal processing Finger prints.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
SE571 Security in Computing

SE571 Security in Computing
Biometrics and Authentication Shivani Kirubanandan.

Biometrics and Authentication Shivani Kirubanandan.
Marjie Rodrigues 411154.

Marjie Rodrigues
Security-Authentication

Security-Authentication
Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.

Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.
Geoff Lacy. Outline  Definition  Technology  Types of biometrics Fingerprints Iris Retina Face Other ○ Voice, handwriting, DNA  As an SA.

Geoff Lacy. Outline  Definition  Technology  Types of biometrics Fingerprints Iris Retina Face Other ○ Voice, handwriting, DNA  As an SA.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Similar presentations

Ads by Google