Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Published byCecil Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt."— Presentation transcript:

1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt Bishop

2 Overview Basics Passwords Storage Selection Breaking them Other methods Multiple methods June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt BishopSlide #12-2

3 Basics Authentication: binding of identity to subject Identity is that of external entity (my identity, Matt, etc.) Subject is computer entity (process, etc.) Computer Security: Art and Science ©2002-2004 Matt Bishop

4 Establishing Identity One or more of the following What entity knows (eg. password) What entity has (eg. badge, smart card) What entity is (eg. fingerprints, retinal characteristics) Where entity is (eg. In front of a particular terminal) Computer Security: Art and Science ©2002-2004 Matt Bishop

5 Authentication process Obtain authorization information from an entity Analyze the data Determine if it is associated with that entity The computer must save some information about the entity A mechanism to manage this information is required Authentication system Computer Security: Art and Science ©2002-2004 Matt Bishop

6 Authentication System (A, C, F, L, S) Authentication information(A) information that proves identity Complementary information(C) information stored on computer and used to validate authentication information Set of complementary functions (F) Generates the complementation information from the authentication information i.e. for f  F, f: A  C Set of authentication functions that verify identify functions(L) For l  L, l: A x C  { true, false } Set of selection functions (S) Enable entity to create, alter information in A or C Computer Security: Art and Science ©2002-2004 Matt Bishop

7 Example Password system, with passwords stored on line in clear text A set of strings making up passwords C = A F - singleton set of identity function { I } L - single equality test function { eq } S - function to set/change password Computer Security: Art and Science ©2002-2004 Matt Bishop

8 Passwords Information associated with an identity that confirms the entity’s identity. Authentication mechanism based on what people know User supplies known password, system validates it Computer Security: Art and Science ©2002-2004 Matt Bishop

9 Passwords Sequence of characters Examples: 12 digits (password space = 10 12 elements), a string of letters, etc. Generated randomly, by user, by computer with user input Sequence of words Examples: pass-phrases Algorithms Examples: challenge-response, one-time passwords Computer Security: Art and Science ©2002-2004 Matt Bishop

10 Storage Store as cleartext If password file compromised, all passwords revealed Encipher file Need to have decipherment, encipherment keys in memory Reduces to previous problem Store one-way hash of password If file read, attacker must still guess passwords or invert the hash Computer Security: Art and Science ©2002-2004 Matt Bishop

11 Example UNIX system standard hash function Hashes password into 11 char string using one of 4096 hash functions As authentication system: A = { strings of 8 chars or less } C = { 2 char hash id || 11 char hash } F = { 4096 versions of modified DES } L = { login, su, … } S = { passwd, nispasswd, passwd+, … } Computer Security: Art and Science ©2002-2004 Matt Bishop

12 Anatomy of Attacking Goal : find a  A such that: For some f  F, f(a) = c  C c is associated with entity Two ways to determine whether a meets these requirements: Direct approach: as above Indirect approach: as l(a) succeeds iff f(a) = c  C for some c associated with an entity, compute l(a) Computer Security: Art and Science ©2002-2004 Matt Bishop

13 Preventing Attacks How to prevent this: Method 1: Hide enough information such that one of a, f, or c cannot be found Prevents obvious attack from above Method 2: Prevent access to the authentication functions L. Block access to all l  L or result of l(a) Prevents attacker from knowing if guess succeeded Computer Security: Art and Science ©2002-2004 Matt Bishop

14 Dictionary Attacks Trial-and-error from a list of potential passwords Off-line: know f and c’s, and repeatedly try different guesses g  A until the list is done or passwords guessed Examples: crack, john-the-rippercrack On-line: have access to functions in L and try guesses g until some l(g) succeeds Examples: trying to log in by guessing a password Dictionary (i.e. A) List of random strings Set of strings in decreasing order of probability of selection. Computer Security: Art and Science ©2002-2004 Matt Bishop

15 Using Time Maximize the time the defender needs to determine the password Anderson’s formula: P probability of guessing a password in specified period of time G number of guesses tested in 1 time unit T number of time units during which guessing occurs N number of possible passwords (|A|) Then P ≥ TG/N Computer Security: Art and Science ©2002-2004 Matt Bishop

16 Example Goal Passwords drawn from a 96-char alphabet Can test 10 4 guesses per second Probability of a success to be 0.5 over a 365 day period What is minimum password length? Solution N ≥ TG/P = (365  24  60  60)  10 4 /0.5 = 6.31  10 11 Choose s such that 96 s ≥ N So s ≥ 6, meaning passwords must be at least 6 chars long Computer Security: Art and Science ©2002-2004 Matt Bishop

Download ppt "Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt."

Similar presentations

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #11-1 Chapter 11: Authentication Basics Passwords Challenge-Response Biometrics.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #12-1 Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
1 Authentication CS461/ECE422 Fall 2010. 2 Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography

1 Authentication CS461/ECE422 Fall Reading Chapter 12 from Computer Security Chapter 10 from Handbook of Applied Cryptography
Block and Stream Ciphers1 Reference –Matt Bishop, Computer Security, Addison Wesley, 2003.

Block and Stream Ciphers1 Reference –Matt Bishop, Computer Security, Addison Wesley, 2003.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Similar presentations

Ads by Google