Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication (and Unix Password Security). 2 Authentication means to establish proof of identity. We will look at these three methods of authentication.

Published byJeremy Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication (and Unix Password Security). 2 Authentication means to establish proof of identity. We will look at these three methods of authentication."— Presentation transcript:

1 Authentication (and Unix Password Security)

2 2 Authentication means to establish proof of identity. We will look at these three methods of authentication for communication on internetwork. – user-to-host – host-to-host – user-to-user

3 3 Authentication is done by by something you are (SYA) by something you know (SYK) by something you have (SYH)

4 4 Authentication SYA authentication applies to humans. – e.g. biometrics – techniques that measure biological characteristics or physical phenomena (e.g. finger print and hand print analysis, retinal scans, voice, handwriting recognition, etc).

5 5 Authentication SYK is the most commonly used end- user authentication. – e.g: user name and password. Can also be applied to programs that exchange the data over the network without human intervention. The strength of SYK authentication depends on whether what is known is a secret, and can be kept as a secret.

6 6 Authentication In and of itself, SYH is the least way to authenticate. The mere possession of an object that can be borrowed, stolen, or duplicated is a poor way to identify its holder. Strength of SYH in greatly improved when combined with SYK.

7 7 User-to-Host authentication Typical methods are – static passwords – one-time passwords – trusted third parties

8 8 Static passwords Most ubiquitous authentication scheme employed on the internet today –A user chosen or assigned –something that only the user should know. It is an example of SYK An example: /etc/passwd where the derivative of the password of the users is stored. – refer to the Unix encrypted password system

9 9 Static passwords - problems A password guesser (also known as cracker) can be used to guess some of the passwords even the passwords (or its derivatives) are stored in encrypted form. The passwords can be guessed because of their poor choice – such as password is same as the user name or the actual user name, or the popular words in the dictionary, etc. How the cracker programs work?

10 10 Cracker principle /* single password cracker * user name is srini and password is srini * scan the password file for the same user name and password */ #include #include int main(int argc, char **argv) { struct passwd *pw while (pw=getpwent() ) { char *crypt(); char *result; result = crypt(pw->pw_name, pw->pw_passwd); if (!strcmp(result, pw->pw_passwd) ) { printf (“%s has the same password \n”, pw->pw_name); } } exit(0); }

11 11 Educating users Never use a portion or variation of your account name or another account name. Never use a portion of variation of your real name, office or home address, or phone number. Never use words or variations of words found in any dictionary, especially /usr/dict words. Never use pairings of short words found in any dictionary (dogcat) Never use dictionary words or names spelled backward (like terces) Never use syllables or words from a foreign language. Never use repeated character string (like AAAABBBB, LLOOVVEE) Never use passwords containing only numeric digits. Always use passwords at least seven characters long. Many Unix versions use only 8 characters while some new ones may permit 16 or more characters. Always use a mixture of upper- and lowercase characters. This is especially valuable rule. Always use at least one or two non-alphanumeric characters, like numeric digits, punctuation marks, dollar sign, carat, etc. All these leads a large number of combinations which may take the cracker program long enough to crack.

12 12 Preventing unsecure passwords Accounts without passwords Managing dormant accounts Not allowing passwords that is similar to the user names, derivates or words in /usr/dict or insisting the password to contain at least one non-alphabet character (npasswd program on Linux has this feature). Shadow password and password aging.

13 13 Shadow password Shadow passwords are hidden in shadow, a file that is readable only by the super user. typically it is /etc/shadow, readable by root. When the shadow password is implemented, then a “*” or “x” is placed in the password field of the /etc/passwd file. In Unix, password is used to encrypt a string of 64 bit zeros using the crypt() function, typically 25 times. The final encrypted 64 bits are unpacked into a string of 11 printable characters that are stored in the /etc/passwd or /etc/shadow file.

14 14 Adding salt to the password Although the source code of crypt() is readily available, no technique has been discovered to translate the encrypted password back into the original password. Only possible attack is via a brute-force attack or by a dictionary attack. The previous method can allow the attacker to store the pre-encrypted version of the dictionary words and matching it against the passwords stored in the /etc/passwd file. To over come this problem add a salt to the password.

15 15 How adding salt works? When you change the password, the /bin/passwd program selects a salt based on the time of the day. The salt is converted into a two-character string (12 bits in fact) and is stored in the /etc/passwd file along with the encrypted “password” The encryption of the string of 64 bits of zeros is done by the string which is the concatenation of the salt and the user supplied password string! Having salt means that the same password can encrypt in 4096 different ways! and this makes it much harder for the attacker to build a reverse dictionary for translated encrypted passwords.

16 16 Password aging Forces the user to change the password regularly. – when the allotted lifetime of a password expires, at the next login the user must change it, or denied access to the shell (in unix). –smit is the tool that allows the configuration of the password aging. Another strategy of aging is password history. –User is prevented from using one of the earlier used passwords.

17 17 Static passwords with one-way hash When clear text password is passed though a communication channel, it can be snooped. Using a challenge-response scheme, it is possible for a host to verify a user who knows the password without requiring the user sending the password through the communication channel. The challenge (or the answer) string is concatenated with the password and a one-way hash of this string is sent to the server for validation.

18 18 Challenge-and-response protocol AliceBob KK I am Alice. A random x (challenge) y (response) y=E(K,x) z=E(K,x) Accept if y=z.

19 19 One-time passwords S/key due to Leslie Lamport and implemented by Phil Karn in Unix. Handheld authenticators. Smart cards

20 20 One-time passwords As the name implies a password is used only once. Typically password is generated by applying repeatedly MD5 algorithm on a secret password. Let p the password and f is the one-way MD5 function. Initially let n=9, then the first time password transmitted for verification will be f 9 (p) and next time it will be f 8 (p) and so on.

21 21 Handheld Authenticators They are handheld password generators or token and belongs to the category of SYH authentication. Similar to challenge-response scheme, where the host issues a challenge string that the user keys into the authenticator. The response appears on the authenticator’s display, which the user then sends it to the host.

22 22 Trusted third parties KDC (key distribution Centre ) HOST User

23 23 Advanced authentication Kerberos (by MIT) KriptoKnight (by IBM) SPX (by DEC) Lotus Notes DCE Microsoft......

24 24 Host-to-host authentication IP address/name authentication – can be considered as no authentication Digital signatures (such as MD5) and encryption can be used to authenticate the identity of the sender.

Download ppt "Authentication (and Unix Password Security). 2 Authentication means to establish proof of identity. We will look at these three methods of authentication."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CSC 474 Information Systems Security

CSC 474 Information Systems Security
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Cryptography Basic (cont)

Cryptography Basic (cont)
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Authentication (and Unix Password Security)

Authentication (and Unix Password Security)
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Similar presentations

Ads by Google